Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Driver Package - Kaspersky Lab KLIF ActivityMonitor (05/15/2007 7.0.0.122) - suspect?


  • This topic is locked This topic is locked
21 replies to this topic

#1 Zoaxxa

Zoaxxa

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 January 2011 - 07:46 AM

In the process of doing some routine maintenance on my PC I was looking through the 'Add/Remove programs' list to see what programs I could remove when I noticed an entry that I didn't recognize, ie, "Windows Driver Package - Kaspersky Lab KLIF ActivityMonitor (05/15/2007 7.0.0.122)." I did a quick Google search to try to find out what it is and many of the links found related to 'Hijack This' type logs concerning something called */Klif.* At this stage alarm bells started ringing! :o

I have scanned my computer using Malwarebytes Anti-malware, rkill and combofix as per this thread My link, realising after that I probably shouldn't have used the last one - oops! :whistle:

It occured to me that this may have something to do with me taking advantage of a GAOTD opportunity to aquire the Kaspersky security suite via this link, My link

As advised by "boopme" in another topic, I have since created logs using Preparation Guide, steps 6 - 9. Again as advised I skipped the GMER step and am instead posting the ComboFix.


DDS (Ver_10-12-12.02) - NTFSx86
Run by User01 at 10:55:17.03 on 20/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2303.1853 [GMT 0:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GreenPrint\GPSRHT01.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\WOSVSSSvrXP32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PrintCtrl.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\GreenPrint\gpsrdg01.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\Down2Home\Down2Home.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\User01\Application Data\Mozilla\Firefox\Profiles\elsyy16s.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\User01\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.routerlogin.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: eSnipsBHO Class: {b530a9a4-1722-4d16-aad6-aa85e3ad2ade} - c:\program files\logia\esnipsdownloader\eSnipsBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\down2h~1.lnk - c:\program files\down2home\Down2Home.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windows search.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Bayside Sniper - Add Auction Item - c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: Bayside Sniper - Item Feedback Analyzer - c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/202
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: { - c:\program files\messenger\msmsgs.exe
IE: {C8644EC1-E8D3-4691-B778-6458E3701177} - res://c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
Trusted Zone: kuaiche.com\software
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269282486234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user01\applic~1\mozilla\firefox\profiles\elsyy16s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 72.52.65.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\{15b9700d-f5b7-4d0a-ae43-9b5099836a58}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\program files\mozilla firefox\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: QuickDrag: quickdrag@mozilla.ktechcomputing.com - %profile%\extensions\quickdrag@mozilla.ktechcomputing.com
FF - Ext: Tab Scope: tabscope@xuldev.org - %profile%\extensions\tabscope@xuldev.org
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Locationbar˛: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Automatic Save Folder: asf@mangaheart.org - %profile%\extensions\asf@mangaheart.org
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Add-on Collector: sharing@addons.mozilla.org - %profile%\extensions\sharing@addons.mozilla.org
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Tabhunter: tabhunter@ericpromislow.com - %profile%\extensions\tabhunter@ericpromislow.com
FF - Ext: MR Tech Toolkit: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} - %profile%\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Tab Kit: tabkit@jomel.me.uk - %profile%\extensions\tabkit@jomel.me.uk
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Diigo Bookmarks and Web Annotations: {fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3} - %profile%\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}
FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: Memory Fox: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B} - %profile%\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Gradient Brushed Metal: GradientBrushedMetalFF3@pumpel.com - %profile%\extensions\GradientBrushedMetalFF3@pumpel.com
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: Favicon Picker 2: {446c03e0-2c35-11db-a98b-0800200c9a66} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a66}
FF - Ext: Organize Status Bar: {35106bca-6c78-48c7-ac28-56df30b51d2c} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
FF - Ext: Aluminium Kai 2: {a45e6b3a-725d-4b20-afde-e7486bfe317c} - %profile%\extensions\{a45e6b3a-725d-4b20-afde-e7486bfe317c}
FF - Ext: Operetta: opera10skin@firefox.theme - %profile%\extensions\opera10skin@firefox.theme
FF - Ext: Smart Bookmarks 2.0: laviesaint@gmail.com - %profile%\extensions\laviesaint@gmail.com
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: Text Link: {54BB9F3F-07E5-486c-9B39-C7398B99391C} - %profile%\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}
FF - Ext: Find In Tabs: FindInTabs@mishac.com - %profile%\extensions\FindInTabs@mishac.com
FF - Ext: Charamel: {961408A3-C970-4577-970A-D97C29839A67} - %profile%\extensions\{961408A3-C970-4577-970A-D97C29839A67}
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: iTunesFox: iTunesFox@sjcmankimo.tw - %profile%\extensions\iTunesFox@sjcmankimo.tw
FF - Ext: ProfileSwitcher: {fa8476cf-a98c-4e08-99b4-65a69cb4b7d4} - %profile%\extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}
FF - Ext: Back to Top: {3C9A65A6-9563-4485-BA4A-4BCD698BCFB4} - %profile%\extensions\{3C9A65A6-9563-4485-BA4A-4BCD698BCFB4}
FF - Ext: OPIE: OPIE@guid.customsoftwareconsult.com - %profile%\extensions\OPIE@guid.customsoftwareconsult.com
FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
FF - Ext: lyrics: {0e92e63d-3f90-471b-a4f0-b2de052aa046} - %profile%\extensions\{0e92e63d-3f90-471b-a4f0-b2de052aa046}
FF - Ext: Converter: {8B72860F-C5F8-4286-865E-D2C2DB98A9E6} - %profile%\extensions\{8B72860F-C5F8-4286-865E-D2C2DB98A9E6}
FF - Ext: Resurrect Pages: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3} - %profile%\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
FF - Ext: Searchbastard: searchbastard@rosell.dk - %profile%\extensions\searchbastard@rosell.dk
FF - Ext: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: Spam Control: {db72cc3b-578c-43b2-8adb-b0a91803e9bf} - %profile%\extensions\{db72cc3b-578c-43b2-8adb-b0a91803e9bf}
FF - Ext: Surf Canyon - Search Engine Assistant: {75623d5d-4683-402a-b610-ac4bab767c86} - %profile%\extensions\{75623d5d-4683-402a-b610-ac4bab767c86}
FF - Ext: CS Lite: {00084897-021a-4361-8423-083407a033e0} - %profile%\extensions\{00084897-021a-4361-8423-083407a033e0}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: getFavicon: getFavicon@xieluyun - %profile%\extensions\getFavicon@xieluyun
FF - Ext: QuickFox Notes: amin.eft_bmnotes@gmail.com - %profile%\extensions\amin.eft_bmnotes@gmail.com
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: My Voucher Codes Community Toolbar: {15b9700d-f5b7-4d0a-ae43-9b5099836a58} - %profile%\extensions\{15b9700d-f5b7-4d0a-ae43-9b5099836a58}
FF - Ext: Bayside Sniper Toolbar Button: bsfftb@sheaware.com - c:\documents and settings\user01\application data\baysidesniperii\bsfftb
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false

============= SERVICES / DRIVERS ===============

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2011-1-3 121288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-16 294608]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-16 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-16 40384]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2005-6-1 76325]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\gladinet\gladinet cloud desktop\GladFileMonSvc.exe [2010-11-17 27496]
R2 GreenPrint;GreenPrint;c:\program files\greenprint\gpsrht01.exe [2010-2-21 427048]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2010-12-11 77824]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-5 27632]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2010-6-6 19968]
R4 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9050\BKNDIS5.SYS [2010-6-6 15872]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\user01\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user01\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\user01\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user01\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2010-3-22 406016]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2010-2-13 26674]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-2-13 17149]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-5-5 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-1-9 90864]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
S3 SASENUM;SASENUM;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2011-01-19 12:52:53 -------- d-sha-r- C:\cmdcons
2011-01-19 12:50:08 98816 ----a-w- c:\windows\sed.exe
2011-01-19 12:50:08 89088 ----a-w- c:\windows\MBR.exe
2011-01-19 12:50:08 256512 ----a-w- c:\windows\PEV.exe
2011-01-19 12:50:08 161792 ----a-w- c:\windows\SWREG.exe
2011-01-19 12:09:26 -------- d-----w- c:\docume~1\user01\applic~1\Malwarebytes
2011-01-19 12:09:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-19 12:09:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-19 12:09:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-19 12:09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 15:38:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop
2011-01-09 15:38:11 -------- d-----w- c:\program files\PCPitstop
2011-01-03 17:48:45 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{73086D7F-9A14-4838-9E90-506EB6AA0FE5}
2010-12-27 14:50:11 -------- d-----w- c:\docume~1\user01\locals~1\applic~1\MetaGeek,_LLC
2010-12-27 14:31:41 -------- d-----w- c:\program files\MetaGeek
2010-12-25 01:14:24 -------- d-----w- c:\docume~1\user01\applic~1\gsmartcontrol
2010-12-25 01:13:32 -------- d-----w- c:\program files\GSmartControl
2010-12-25 00:40:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Licenses
2010-12-25 00:32:19 -------- d-----w- c:\docume~1\user01\applic~1\Engelmann Media

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 19:23:42 57344 ----a-w- c:\windows\system32\CleanMem.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:56:54.25 ===============


Any help greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:20 PM

Posted 25 January 2011 - 09:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Zoaxxa

Zoaxxa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 25 January 2011 - 05:15 PM

Hi! I have produced logs with DDS as requested, no problem, but I can't get GMER to work :( , it keeps freezing my system (tried about half a dozen times). Did a quick google search and it seems this is quite common? Here are the DDS logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by User01 at 15:57:44.32 on 25/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2303.1822 [GMT 0:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\WOSVSSSvrXP32.exe
C:\Program Files\GreenPrint\GPSRHT01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PrintCtrl.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\GreenPrint\gpsrdg01.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\Down2Home\Down2Home.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User01\Application Data\Mozilla\Firefox\Profiles\elsyy16s.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User01\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.routerlogin.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: eSnipsBHO Class: {b530a9a4-1722-4d16-aad6-aa85e3ad2ade} - c:\program files\logia\esnipsdownloader\eSnipsBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\down2h~1.lnk - c:\program files\down2home\Down2Home.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windows search.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Bayside Sniper - Add Auction Item - c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: Bayside Sniper - Item Feedback Analyzer - c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/202
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: { - c:\program files\messenger\msmsgs.exe
IE: {C8644EC1-E8D3-4691-B778-6458E3701177} - res://c:\documents and settings\user01\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
Trusted Zone: kuaiche.com\software
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269282486234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user01\applic~1\mozilla\firefox\profiles\elsyy16s.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 72.52.65.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\{15b9700d-f5b7-4d0a-ae43-9b5099836a58}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - component: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\user01\application data\mozilla\firefox\profiles\elsyy16s.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\program files\mozilla firefox\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: QuickDrag: quickdrag@mozilla.ktechcomputing.com - %profile%\extensions\quickdrag@mozilla.ktechcomputing.com
FF - Ext: Tab Scope: tabscope@xuldev.org - %profile%\extensions\tabscope@xuldev.org
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Locationbar˛: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Automatic Save Folder: asf@mangaheart.org - %profile%\extensions\asf@mangaheart.org
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Add-on Collector: sharing@addons.mozilla.org - %profile%\extensions\sharing@addons.mozilla.org
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Tabhunter: tabhunter@ericpromislow.com - %profile%\extensions\tabhunter@ericpromislow.com
FF - Ext: MR Tech Toolkit: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} - %profile%\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Tab Kit: tabkit@jomel.me.uk - %profile%\extensions\tabkit@jomel.me.uk
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Diigo Bookmarks and Web Annotations: {fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3} - %profile%\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}
FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: Memory Fox: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B} - %profile%\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Gradient Brushed Metal: GradientBrushedMetalFF3@pumpel.com - %profile%\extensions\GradientBrushedMetalFF3@pumpel.com
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: Favicon Picker 2: {446c03e0-2c35-11db-a98b-0800200c9a66} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a66}
FF - Ext: Organize Status Bar: {35106bca-6c78-48c7-ac28-56df30b51d2c} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
FF - Ext: Aluminium Kai 2: {a45e6b3a-725d-4b20-afde-e7486bfe317c} - %profile%\extensions\{a45e6b3a-725d-4b20-afde-e7486bfe317c}
FF - Ext: Operetta: opera10skin@firefox.theme - %profile%\extensions\opera10skin@firefox.theme
FF - Ext: Smart Bookmarks 2.0: laviesaint@gmail.com - %profile%\extensions\laviesaint@gmail.com
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: Text Link: {54BB9F3F-07E5-486c-9B39-C7398B99391C} - %profile%\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}
FF - Ext: Find In Tabs: FindInTabs@mishac.com - %profile%\extensions\FindInTabs@mishac.com
FF - Ext: Charamel: {961408A3-C970-4577-970A-D97C29839A67} - %profile%\extensions\{961408A3-C970-4577-970A-D97C29839A67}
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: iTunesFox: iTunesFox@sjcmankimo.tw - %profile%\extensions\iTunesFox@sjcmankimo.tw
FF - Ext: ProfileSwitcher: {fa8476cf-a98c-4e08-99b4-65a69cb4b7d4} - %profile%\extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}
FF - Ext: Back to Top: {3C9A65A6-9563-4485-BA4A-4BCD698BCFB4} - %profile%\extensions\{3C9A65A6-9563-4485-BA4A-4BCD698BCFB4}
FF - Ext: OPIE: OPIE@guid.customsoftwareconsult.com - %profile%\extensions\OPIE@guid.customsoftwareconsult.com
FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
FF - Ext: lyrics: {0e92e63d-3f90-471b-a4f0-b2de052aa046} - %profile%\extensions\{0e92e63d-3f90-471b-a4f0-b2de052aa046}
FF - Ext: Converter: {8B72860F-C5F8-4286-865E-D2C2DB98A9E6} - %profile%\extensions\{8B72860F-C5F8-4286-865E-D2C2DB98A9E6}
FF - Ext: Resurrect Pages: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3} - %profile%\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
FF - Ext: Searchbastard: searchbastard@rosell.dk - %profile%\extensions\searchbastard@rosell.dk
FF - Ext: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: Spam Control: {db72cc3b-578c-43b2-8adb-b0a91803e9bf} - %profile%\extensions\{db72cc3b-578c-43b2-8adb-b0a91803e9bf}
FF - Ext: Surf Canyon - Search Engine Assistant: {75623d5d-4683-402a-b610-ac4bab767c86} - %profile%\extensions\{75623d5d-4683-402a-b610-ac4bab767c86}
FF - Ext: CS Lite: {00084897-021a-4361-8423-083407a033e0} - %profile%\extensions\{00084897-021a-4361-8423-083407a033e0}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: getFavicon: getFavicon@xieluyun - %profile%\extensions\getFavicon@xieluyun
FF - Ext: QuickFox Notes: amin.eft_bmnotes@gmail.com - %profile%\extensions\amin.eft_bmnotes@gmail.com
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: My Voucher Codes Community Toolbar: {15b9700d-f5b7-4d0a-ae43-9b5099836a58} - %profile%\extensions\{15b9700d-f5b7-4d0a-ae43-9b5099836a58}
FF - Ext: Bayside Sniper Toolbar Button: bsfftb@sheaware.com - c:\documents and settings\user01\application data\baysidesniperii\bsfftb
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false

============= SERVICES / DRIVERS ===============

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2011-1-3 121288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-16 294608]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-16 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-16 40384]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2005-6-1 76325]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\gladinet\gladinet cloud desktop\GladFileMonSvc.exe [2010-11-17 27496]
R2 GreenPrint;GreenPrint;c:\program files\greenprint\gpsrht01.exe [2010-2-21 427048]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2010-12-11 77824]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-5 27632]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2010-6-6 19968]
S?4 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9050\BKNDIS5.SYS [2010-6-6 15872]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\user01\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user01\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\user01\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user01\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2010-3-22 406016]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2010-2-13 26674]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-2-13 17149]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-5-5 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-1-9 90864]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
S3 SASENUM;SASENUM;\??\c:\docume~1\user01\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\user01\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2011-01-24 20:39:17 -------- d-----w- c:\docume~1\user01\applic~1\Tidy Start Menu
2011-01-24 20:39:07 -------- d-----w- c:\program files\Tidy Start Menu
2011-01-19 12:52:53 -------- d-sha-r- C:\cmdcons
2011-01-19 12:50:08 98816 ----a-w- c:\windows\sed.exe
2011-01-19 12:50:08 89088 ----a-w- c:\windows\MBR.exe
2011-01-19 12:50:08 256512 ----a-w- c:\windows\PEV.exe
2011-01-19 12:50:08 161792 ----a-w- c:\windows\SWREG.exe
2011-01-19 12:09:26 -------- d-----w- c:\docume~1\user01\applic~1\Malwarebytes
2011-01-19 12:09:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-19 12:09:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-19 12:09:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-19 12:09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 15:38:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop
2011-01-09 15:38:11 -------- d-----w- c:\program files\PCPitstop
2011-01-03 17:48:45 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{73086D7F-9A14-4838-9E90-506EB6AA0FE5}
2010-12-27 14:50:11 -------- d-----w- c:\docume~1\user01\locals~1\applic~1\MetaGeek,_LLC
2010-12-27 14:31:41 -------- d-----w- c:\program files\MetaGeek

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 19:23:42 57344 ----a-w- c:\windows\system32\CleanMem.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 15:59:21.64 ===============

Thanks

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 26 January 2011 - 09:43 AM

Hello Zoaxxa,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy. As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you are having, along with any steps you may have performed so far.


You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

If you do not have ComboFix.txt on your desktop please navigate to C:\ComboFix.txt and post the report in your next reply.


Thanks!!
PW

#5 Zoaxxa

Zoaxxa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 26 January 2011 - 12:00 PM

Hello, thanks for getting back to me. I have already posted a Combofix log as an attachment at the beginning of this thread, do you want me to post another?

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 26 January 2011 - 12:41 PM

Hi Zoaxxa,

I have already posted a Combofix log as an attachment at the beginning of this thread, do you want me to post another?

Not necessary. I just missed it. :)

Please do not attach logs unless asked to. :thumbup2:


Thanks!!
PW

#7 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 27 January 2011 - 05:45 AM

Hello Zoaxxa,

but I can't get GMER to work

This is not unusual.

This is legitimate and is related to Kaspersky antivirus engine
Windows Driver Package - Kaspersky Lab KLIF ActivityMonitor


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.


  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\npf.sys


If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.


I notice that you are allowing or placing sites in the Internet Explorer Trusted Zone.

"Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone.
There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge.
It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone.. "
http://www.bleepingcomputer.com/tutorials/...42.html#O15Diag

In your case I see you have the following sites in the trusted zone:

kuaiche.com\software


I suggest you do not allow any sites in the Trusted Zone for the above stated reasons.

To remove sites from the trusted Zone
Close any Internet Explorer or Windows Explorer windows that are currently open.
Open Internet Explorer by clicking the Start button , and then clicking Internet Explorer.
Click the Tools button, and then click Internet Options.(under Network and Internet in the category view).
Choose the Security tab, select Trusted Sites then click on the Sites button. In the Trusted Sites window hilite the sites to remove and click the Remove button then close all windows.


Did you set this Firefox proxy, United States Austin Advanced Colocation?

FF - prefs.js: network.proxy.http - 72.52.65.4


Step 1.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"=-

Driver::
SASDIFSV
SASKUTIL
cpuz130

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note:


Step 2.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


In your next reply please include the folowing:

VirusTotal scan results
ComboFix.txt
RKUnhooker report


How is your computer running?


Thanks!!
PW

#8 Zoaxxa

Zoaxxa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 27 January 2011 - 10:31 AM

This is legitimate and is related to Kaspersky antivirus engine



Hello, as far as I know I've never installed Kaspersky anti-virus package. I have Avast running, does this use parts of the Kaspersky engine?

Virus total

VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼
VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in

Sign in
Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account
Edit my profile
View my profile
Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
npf.sys
Submission date:
2011-01-27 12:20:12 (UTC)
Current status:
queued queued (#82) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.01.27.01 2011.01.27 -
AntiVir 7.11.2.4 2011.01.27 -
Antiy-AVL 2.0.3.7 2011.01.27 -
Avast 4.8.1351.0 2011.01.27 -
Avast5 5.0.677.0 2011.01.27 -
AVG 10.0.0.1190 2011.01.27 -
BitDefender 7.2 2011.01.27 -
CAT-QuickHeal 11.00 2011.01.27 -
ClamAV 0.96.4.0 2011.01.27 -
Commtouch 5.2.11.5 2011.01.27 -
Comodo 7519 2011.01.27 -
DrWeb 5.0.2.03300 2011.01.27 -
Emsisoft 5.1.0.1 2011.01.27 -
eSafe 7.0.17.0 2011.01.24 -
eTrust-Vet 36.1.8122 2011.01.27 -
F-Prot 4.6.2.117 2011.01.26 -
F-Secure 9.0.16160.0 2011.01.27 -
Fortinet 4.2.254.0 2011.01.27 -
GData 21 2011.01.27 -
Ikarus T3.1.1.97.0 2011.01.27 -
Jiangmin 13.0.900 2011.01.27 -
K7AntiVirus 9.78.3650 2011.01.26 -
Kaspersky 7.0.0.125 2011.01.27 -
McAfee 5.400.0.1158 2011.01.27 -
McAfee-GW-Edition 2010.1C 2011.01.27 -
Microsoft 1.6502 2011.01.27 -
NOD32 5823 2011.01.27 -
Norman 6.06.12 None.. -
nProtect 2011-01-18.01 2011.01.18 -
Panda 10.0.3.5 2011.01.26 -
PCTools 7.0.3.5 2011.01.27 -
Prevx 3.0 2011.01.27 -
Rising 23.42.03.05 2011.01.27 -
Sophos 4.61.0 2011.01.27 -
SUPERAntiSpyware 4.40.0.1006 2011.01.27 -
Symantec 20101.3.0.103 2011.01.27 -
TheHacker 6.7.0.1.120 2011.01.26 -
TrendMicro 9.120.0.1004 2011.01.27 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.27 -
VBA32 3.12.14.3 2011.01.26 -
VIPRE 8213 2011.01.27 -
ViRobot 2011.1.27.4278 2011.01.27 -
VirusBuster 13.6.166.0 2011.01.26 -
Additional information
Show all
MD5 : b9730495e0cf674680121e34bd95a73b
SHA1 : 5f897e63a08201563184beb2acb1b96aab2eaa7c
SHA256: 1a3dd943b0eea19a676175825cb135825ecf41404b59349ac9b1e6d137fa9b46
ssdeep: 768:yTENxA/iiPFPVK4VyNjdDnCeZwd3/uISqk5ilbwTK9/xiL5gE5KCwyYwXecOqLTu:4TVKZN
jdDJZwZ9eExjGH5TzhpW31
File size : 50704 bytes
First seen: 2009-10-21 11:23:50
Last seen : 2011-01-27 12:20:12
TrID:
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: CACE Technologies, Inc.
copyright....: Copyright © 2005-2009 CACE Technologies. Copyright © 1999-2005 NetGroup, Politecnico di Torino.
product......: WinPcap
description..: npf.sys (NT5/6 x86) Kernel Driver
original name: npf.sys
internal name: NPF _ TME
file version.: 4.1.0.1753
comments.....: n/a
signers......: CACE Technologies, Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 7:19 PM 10/20/2009
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xC005
timedatestamp....: 0x4ADDFA08 (Tue Oct 20 17:57:28 2009)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x8325, 0x8400, 6.40, 500eb8cac8fc8c22352bc42af5c7fa84
.rdata, 0xA000, 0x414, 0x600, 2.99, 4c84e1de21f0d72a6dcb6b582d906efe
.data, 0xB000, 0x5EC, 0x600, 0.69, aa9c3886c81cc12eff648f1494a8b186
INIT, 0xC000, 0x766, 0x800, 5.19, bde7ddf10ce4ad170a75679d649d2e40
.rsrc, 0xD000, 0x440, 0x600, 2.61, e69f5f19a4219f6ed934a9573097eaed
.reloc, 0xE000, 0x856, 0xA00, 5.36, 46c7f0375f0254401fe701dfe090ad98

[[ 3 import(s) ]]
ntoskrnl.exe: MmUnlockPages, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, KeResetEvent, ObfDereferenceObject, ObReferenceObjectByHandle, ExEventObjectType, _allmul, RtlAssert, ZwSetInformationThread, KeQuerySystemTime, _allrem, _alldiv, KeWaitForSingleObject, KeInitializeEvent, _aullrem, _aulldiv, KeSetEvent, ExfInterlockedRemoveHeadList, KeClearEvent, MmBuildMdlForNonPagedPool, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, KeTickCount, KeBugCheckEx, ExfInterlockedInsertTailList, IofCompleteRequest, IoDeleteSymbolicLink, IoDeleteDevice, RtlCompareMemory, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, IoCreateDevice, IoCreateSymbolicLink, ZwOpenKey, ZwEnumerateKey, ZwQueryValueKey, ZwClose, memcpy, ExAllocatePoolWithTag, RtlQueryRegistryValues, RtlWriteRegistryValue, ExFreePoolWithTag, memset, DbgPrint, PsGetVersion, MmMapLockedPagesSpecifyCache, RtlInitUnicodeString, RtlUnwind
HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, KeQueryPerformanceCounter, KfLowerIrql, KfRaiseIrql, KfAcquireSpinLock
NDIS.SYS: NdisCloseAdapter, NdisSetEvent, NdisResetEvent, NdisInitializeEvent, NdisWaitEvent, NdisSystemProcessorCount, NdisRegisterProtocol, NdisDeregisterProtocol, NdisOpenAdapter, NdisAllocatePacketPool, NdisFreePacketPool, NdisFreePacket, NdisAllocatePacket, NdisRequest, NdisUnchainBufferAtFront

Internet Explorer Trusted Zone= Done

Did you set this Firefox proxy, United States Austin Advanced Colocation?



Not as far as I'm aware. However, I do have 'SecurityKISS Tunnel' encrypted VPN program installed?

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Is Attached. Whilst running ComboFix my computer restarted on it's own. An IE shortcut had been placed on my desktop for some reason?

RKUnhooker report

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB652D000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10276864 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 196.21 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6361088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 196.21 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xB5EDE000 C:\WINDOWS\system32\DRIVERS\IntelS51.sys 1863680 bytes (Intel Corporation, Intel V.92 Modem)
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAF229000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xAF59A000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB4612000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAF694000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAB6B5000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xADBD4000 C:\WINDOWS\System32\Drivers\aswSP.SYS 290816 bytes (AVAST Software, avast! self protection module)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAA890000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB5E3A000 C:\WINDOWS\system32\drivers\vinyl97.sys 208896 bytes (VIA Technologies, Inc., Vinyl AC'97 Codec Combo WDM Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAB84D000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF744A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAF60A000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAF657000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAF574000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB5E16000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB5E6D000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xADBB1000 C:\Program Files\AntiLogger\AntiLog32.sys 143360 bytes (Zemana Ltd., Zemana AntiLogger Driver (stand-alone))
0xB5EBB000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAF635000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAB981000 C:\Program Files\Sandboxie\SbieDrv.sys 135168 bytes (SANDBOXIE L.T.D, Sandboxie Kernel Mode Driver)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74A0000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7430000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xADB99000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xAB91A000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xF7477000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB5DEB000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAF67F000 C:\WINDOWS\system32\drivers\bckd.sys 86016 bytes (Blue Coat Systems, Inc., Blue Coat Web Filter driver)
0xAB240000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB5E02000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB64F8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAF6ED000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF748E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB5EA9000 C:\WINDOWS\system32\drivers\wf2kvcap.sys 73728 bytes (Leadtek Research Inc., WinFast TV2000 XP WDM Video Capture Driver.)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB5DDA000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7537000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8778000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7677000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB8738000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8768000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAB3FD000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB46F0000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7687000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB8798000 C:\WINDOWS\system32\drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF76A7000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB7E83000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB8758000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7697000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7647000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xB87B8000 C:\WINDOWS\System32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xB4670000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB7E63000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7547000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF76D7000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF76C7000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB8748000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAB5D5000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB7EB3000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB7BD7000 C:\ComboFix\catchme.sys 32768 bytes
0xF77F7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB1A1A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB4816000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7807000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7717000 videX32.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0xF780F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB1A32000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB47FE000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\tap0901.sys 28672 bytes (The OpenVPN Project, TAP-Win32 Virtual Network Driver)
0xB7BB7000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF777F000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF776F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF779F000 C:\WINDOWS\system32\DRIVERS\seehcri.sys 24576 bytes (Sony Ericsson Mobile Communications, seehcri Driver)
0xF77FF000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB1A2A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xAD8C6000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xB1A0A000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xB47F6000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB1A22000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7787000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF778F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\ss.sys 20480 bytes (WikiTek Inc., StreamSurge Intermediate Miniport Driver)
0xB7BDF000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77C7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xAB5C1000 C:\PROGRA~1\Belkin\F5D9050\BKNDIS5.SYS 16384 bytes (Gemtek Technology Co., GTNDIS NDIS 5.0 Protocol Driver)
0xF7913000 C:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7D1E000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xB7D22000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAAA00000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB87D8000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xAFE46000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAF49A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB8730000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xB02C0000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xAFE3A000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB8728000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB199E000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A09000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79E3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A07000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF798D000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xAD4E7000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xB1A5E000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF798F000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79D7000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79F3000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798B000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A75000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB4896000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xAFB62000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB1A67000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0xAA80C190 Unknown thread object [ ETHREAD 0x88C555A0 ] , 600 bytes
0xAA80C190 Unknown thread object [ ETHREAD 0x88F2A3E8 ] , 600 bytes
0xAA818570 Unknown thread object [ ETHREAD 0x8925D020 ] , 600 bytes
0xAA80C190 Unknown thread object [ ETHREAD 0x894F0DA8 ] , 600 bytes
0xAA818570 Unknown thread object [ ETHREAD 0x88B78618 ] , 600 bytes
0xAA818570 Unknown thread object [ ETHREAD 0x88DDC5A0 ] , 600 bytes

Out of interest, the first time I ran ComboFix, it created a folder called 'Qoobox'
on my C Drive, is this normal? In it there is a 'Quarantine' folder? I have attached a screenshot of it's contents for you to look at.

How is your computer running



As far as I know, as normal.

Cheers

Attached Files



#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 28 January 2011 - 10:20 AM

Hi Zoaxxa,

Out of interest, the first time I ran ComboFix, it created a folder called 'Qoobox'
on my C Drive, is this normal?

The Qoobox folder is part of ComboFix. When we uninstall Combofix it will be uninstalled also.

...as far as I know I've never installed Kaspersky anti-virus package.
It occured to me that this may have something to do with me taking advantage of a GAOTD opportunity to aquire the Kaspersky security suite via this link, My link

The link provided points to a free offer for Kaspersky Antivirus 2011 but it is not on your system. I pointed out that it was not malware since you were concerned about it. :thumbup2:


Did you set this Firefox proxy, United States Austin Advanced Colocation?

Not as far as I'm aware.

Austin Advanced Colocation is a web/server hosting service. Below are some links that explain the service. It doesn't appear to be malicious. I will let you determine whether to keep or remove.

http://www.christianet.com/dedicatedhosting/colocationnetwork.htm
http://onr.com/colocation/index.php?gclid=CJich7-K3aYCFQjrKgodBBaA3A
http://advancedcolocation.com/

How to Remove a Proxy Server in Firefox

Please see my posts #4 and #6. :)

Please do not attach logs unless asked to


We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
SASENUM
WPN111

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply please include the following:

ComboFix.txt
<--Please copy and paste the log directly into the reply box.


How is your computer running?


Thanks!!
PW

#10 Zoaxxa

Zoaxxa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 28 January 2011 - 04:50 PM

The link provided points to a free offer for Kaspersky Antivirus 2011 but it is not on your system. I pointed out that it was not malware since you were concerned about it. :thumbup2:


If it's not linked with Avast can I assume it's safe to uninstall? :unsure:

We need to run a Combofix Script



ComboFix 11-01-25.05 - User01 28/01/2011 20:38:05.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2303.1880 [GMT 0:00]
Running from: c:\documents and settings\User01\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User01\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SASENUM
-------\Service_WPN111


((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-24 20:39 . 2011-01-24 20:39 -------- d-----w- c:\documents and settings\User01\Application Data\Tidy Start Menu
2011-01-24 20:39 . 2011-01-24 20:39 -------- d-----w- c:\program files\Tidy Start Menu
2011-01-19 12:09 . 2011-01-19 12:09 -------- d-----w- c:\documents and settings\User01\Application Data\Malwarebytes
2011-01-19 12:09 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-19 12:09 . 2011-01-19 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-19 12:09 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-19 12:09 . 2011-01-19 12:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 15:38 . 2011-01-09 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2011-01-09 15:38 . 2011-01-09 15:38 -------- d-----w- c:\program files\PCPitstop
2011-01-03 17:48 . 2011-01-03 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{73086D7F-9A14-4838-9E90-506EB6AA0FE5}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-06-29 21:10 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-02-16 18:46 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-02-16 18:47 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-02-16 18:47 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-02-16 18:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-02-16 18:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-02-16 18:47 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-02-16 18:47 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-02-16 18:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-12 19:23 . 2010-12-13 01:39 57344 ----a-w- c:\windows\system32\CleanMem.exe
2010-11-18 18:12 . 2009-07-28 22:14 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2002-08-29 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-02-13 20:55 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2010-11-17 22:06 193896 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2010-11-17 22:10 193896 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-02-14 1531904]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2011-01-03 9340872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Down2Home.lnk - c:\program files\Down2Home\Down2Home.exe [2003-3-11 307200]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0DfSDKBt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^User01^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\User01\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\No install programs\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Gladinet\\Gladinet Cloud Desktop\\GladinetClient.exe"=

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [03/01/2011 12:46 121288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/02/2010 18:47 294608]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [11/12/2009 22:52 74088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16/02/2010 18:47 17744]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [11/12/2009 22:52 1078632]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [01/06/2005 16:00 76325]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [17/11/2010 22:17 27496]
R2 GreenPrint;GreenPrint;c:\program files\GreenPrint\gpsrht01.exe [21/02/2010 21:29 427048]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [11/12/2010 19:55 77824]
R3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\F5D9050\BKNDIS5.SYS [06/06/2010 10:42 15872]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [05/05/2010 18:10 27632]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [06/06/2010 10:42 19968]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [22/03/2010 22:35 406016]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [13/02/2010 14:04 26674]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [13/02/2010 12:36 17149]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [05/05/2010 18:10 13224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [09/01/2011 15:38 90864]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BKNDIS5
.
Contents of the 'Scheduled Tasks' folder

2011-01-27 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2010-12-13 19:23]
.
.
------- Supplementary Scan -------
.
uStart Page =
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.routerlogin.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Bayside Sniper - Add Auction Item - c:\documents and settings\User01\Application Data\BaysideSniperII\BaysideSniperIE.dll/IE/201
IE: Bayside Sniper - Item Feedback Analyzer - c:\documents and settings\User01\Application Data\BaysideSniperII\BaysideSniperIE.dll/IE/202
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
IE: { - c:\program files\Messenger\msmsgs.exe
IE: {{C8644EC1-E8D3-4691-B778-6458E3701177} - res://c:\documents and settings\User01\Application Data\BaysideSniperII\BaysideSniperIE.dll/IE/201
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User01\Application Data\Mozilla\Firefox\Profiles\elsyy16s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 72.52.65.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\program files\Mozilla Firefox\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: QuickDrag: quickdrag@mozilla.ktechcomputing.com - %profile%\extensions\quickdrag@mozilla.ktechcomputing.com
FF - Ext: Tab Scope: tabscope@xuldev.org - %profile%\extensions\tabscope@xuldev.org
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Locationbar˛: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Automatic Save Folder: asf@mangaheart.org - %profile%\extensions\asf@mangaheart.org
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Add-on Collector: sharing@addons.mozilla.org - %profile%\extensions\sharing@addons.mozilla.org
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Tabhunter: tabhunter@ericpromislow.com - %profile%\extensions\tabhunter@ericpromislow.com
FF - Ext: MR Tech Toolkit: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} - %profile%\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Tab Kit: tabkit@jomel.me.uk - %profile%\extensions\tabkit@jomel.me.uk
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Diigo Bookmarks and Web Annotations: {fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3} - %profile%\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}
FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: Memory Fox: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B} - %profile%\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Gradient Brushed Metal: GradientBrushedMetalFF3@pumpel.com - %profile%\extensions\GradientBrushedMetalFF3@pumpel.com
FF - Ext: MacOSX Theme: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9} - %profile%\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
FF - Ext: Favicon Picker 2: {446c03e0-2c35-11db-a98b-0800200c9a66} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a66}
FF - Ext: Organize Status Bar: {35106bca-6c78-48c7-ac28-56df30b51d2c} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
FF - Ext: Aluminium Kai 2: {a45e6b3a-725d-4b20-afde-e7486bfe317c} - %profile%\extensions\{a45e6b3a-725d-4b20-afde-e7486bfe317c}
FF - Ext: Operetta: opera10skin@firefox.theme - %profile%\extensions\opera10skin@firefox.theme
FF - Ext: Smart Bookmarks 2.0: laviesaint@gmail.com - %profile%\extensions\laviesaint@gmail.com
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: Text Link: {54BB9F3F-07E5-486c-9B39-C7398B99391C} - %profile%\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}
FF - Ext: Find In Tabs: FindInTabs@mishac.com - %profile%\extensions\FindInTabs@mishac.com
FF - Ext: Charamel: {961408A3-C970-4577-970A-D97C29839A67} - %profile%\extensions\{961408A3-C970-4577-970A-D97C29839A67}
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: iTunesFox: iTunesFox@sjcmankimo.tw - %profile%\extensions\iTunesFox@sjcmankimo.tw
FF - Ext: ProfileSwitcher: {fa8476cf-a98c-4e08-99b4-65a69cb4b7d4} - %profile%\extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}
FF - Ext: Back to Top: {3C9A65A6-9563-4485-BA4A-4BCD698BCFB4} - %profile%\extensions\{3C9A65A6-9563-4485-BA4A-4BCD698BCFB4}
FF - Ext: OPIE: OPIE@guid.customsoftwareconsult.com - %profile%\extensions\OPIE@guid.customsoftwareconsult.com
FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
FF - Ext: lyrics: {0e92e63d-3f90-471b-a4f0-b2de052aa046} - %profile%\extensions\{0e92e63d-3f90-471b-a4f0-b2de052aa046}
FF - Ext: Converter: {8B72860F-C5F8-4286-865E-D2C2DB98A9E6} - %profile%\extensions\{8B72860F-C5F8-4286-865E-D2C2DB98A9E6}
FF - Ext: Resurrect Pages: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3} - %profile%\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
FF - Ext: Searchbastard: searchbastard@rosell.dk - %profile%\extensions\searchbastard@rosell.dk
FF - Ext: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: Spam Control: {db72cc3b-578c-43b2-8adb-b0a91803e9bf} - %profile%\extensions\{db72cc3b-578c-43b2-8adb-b0a91803e9bf}
FF - Ext: Surf Canyon - Search Engine Assistant: {75623d5d-4683-402a-b610-ac4bab767c86} - %profile%\extensions\{75623d5d-4683-402a-b610-ac4bab767c86}
FF - Ext: CS Lite: {00084897-021a-4361-8423-083407a033e0} - %profile%\extensions\{00084897-021a-4361-8423-083407a033e0}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: QuickNote: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} - %profile%\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: getFavicon: getFavicon@xieluyun - %profile%\extensions\getFavicon@xieluyun
FF - Ext: QuickFox Notes: amin.eft_bmnotes@gmail.com - %profile%\extensions\amin.eft_bmnotes@gmail.com
FF - Ext: BarTab: bartap@philikon.de - %profile%\extensions\bartap@philikon.de
FF - Ext: My Voucher Codes Community Toolbar: {15b9700d-f5b7-4d0a-ae43-9b5099836a58} - %profile%\extensions\{15b9700d-f5b7-4d0a-ae43-9b5099836a58}
FF - Ext: Bayside Sniper Toolbar Button: bsfftb@sheaware.com - c:\documents and settings\User01\Application Data\BaysideSniperII\bsfftb
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\GreenPrint\Azara]
@Denied: (A D 2 3 4 5 6) (Everyone)
@="c:\\Documents and Settings\\All Users\\Application Data\\GreenPrint\\Common\\Data\\TPDC-362750.XML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlCopyHandler.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Gladinet\Gladinet Cloud Desktop\WOSVSSSvrXP32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\GreenPrint\gpsrdg01.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-01-28 21:00:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-28 21:00
ComboFix2.txt 2011-01-27 14:31

Pre-Run: 6,879,145,984 bytes free
Post-Run: 6,876,893,184 bytes free

- - End Of File - - DE358FFFA016D50CD359855C2E64EB45


How is your computer running?


Seems to be fine :)

#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 28 January 2011 - 05:35 PM

Hi Zoaxxa,

If it's not linked with Avast can I assume it's safe to uninstall?

Yes, it is safe to uninstall. :wink:

You now appear to be all clean. :thumbsup:

We need to do a little house cleaning.


The following two procedures need to be done in the order listed. If you can not do so please let me know.

Step 1.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

Please advise if this step is missed for any reason as it performs some important functions.

Step 2.

Please open OTL
  • Double click on the Posted Image icon on your desktop.
  • Click the "Cleanup" checkbox.
  • You will be asked, "Begin Cleanup Process"
  • Select Yes
  • You will be prompted to restart your computer.
You can now uninstall any other programs we may have used and delete any logs that may have been generated.

Step 3.

Here are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however, by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. You can find microsoft updates here

I recommend that you visit the link above and either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Make sure you use a firewall. A tutorial on understanding and using firewalls may be found here. For most users the built in Windows Firewall is sufficient. Only use one firewall at a time though.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any questions please do not hesitate to ask.



Thanks!!
PW

#12 Zoaxxa

Zoaxxa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 29 January 2011 - 07:44 AM

Step 1.

Uninstall ComboFix


Done

Step 2.

Please open OTL



I presumed I needed to download this, which I did and carried out your instructions.

You can now uninstall any other programs we may have used and delete any logs that may have been generated.



Tried to uninstall the Kaspersky program using Revo Uninstaller, using the programs own uninstaller and it didn't work, said something about "klif.sys file needed" and prompted me to browse for the file path (I did a screenshot but I can't find it?). I didn't have a clue so I cancelled and Revo asked me to restart the computer, which I did. I presumed the uninstall program was missing, so I went back into Revo and used the remove function and was presented with the screenshot attached. I clicked ok and Revo appeared to remove the Kaspersky. Just to make sure I followed this guide,How to Delete Programs Without Uninstall, steps 9 -11.

Step 3.



'Automatic Updates' already enabled. Anti-virus program running. Behind routers firewall. Malware Byte's Anti Malware and SuperAntiSpyware already running. Will install Spyware Blaster. :wacko: Phew! that was a long process, I guess now I would like to know if my computer was infected with anything? :rolleyes: Btw, you must be very patient to deal with all of this, you do an excellent job! :clapping: :)

Thanks

Attached Files



#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 29 January 2011 - 10:07 AM

Hi Zoaxxa,

Revo appeared to remove the Kaspersky

Glad you got it sorted. Kaspersky is not visible on your system so it is not active. What you were seeing was probably a remnant. :thumbup2:

It has been a pleasure working with you!

Edited by pwgib, 29 January 2011 - 10:09 AM.

PW

#14 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 29 January 2011 - 10:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
PW

#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:10:20 AM

Posted 30 January 2011 - 05:18 PM

Topic reopened
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users