Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

All Sorts Of Trouble

Started by DragonMyth36 , Jun 19 2010 04:22 PM

  • This topic is locked This topic is locked
19 replies to this topic

#16 DragonMyth36

DragonMyth36

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 19 June 2010 - 10:15 PM

Everything appears to be working much better. Internet explorer is no longer hijacked and Windows Updates now work again. Svchost appears to be behaving. It is only using about 25 mb and no cpu. Before it was using up to 280mb and 100%cpu.

I've been browsing and doing everything I normally would do and yes, svchost is no longer acting wonky.

The only problem now is that firefox doesn't appear to be loading some pages correctly. For example, the CNN webpage loads left justified and mostly text. Some pages load normally and others do not. ESPN also loads mainly as text, left justified. All pages load fine with Internet Explorer. WAIT.......several hours later and now Firefox is behaving normal.

Everything appears to be fine. The only thing I can't do is install windows media player. Probably some little piece of windows has been corrupted with all the loading, unloading, and malware. I can live without it.


Here is the log You asked for and THANK YOU for your help. Thank You!


ComboFix 10-06-19.03 - The Dragon 06/19/2010 22:36:41.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.690 [GMT -5:00]
Running from: c:\documents and settings\The Dragon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Dragon\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

FILE ::
"c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS"
"c:\windows\ayijobecebep.dll"
"c:\windows\system32\DRIVERS\ProtoWall.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\The Dragon\Local Settings\Application Data\rvobtenkh

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ProtoWall
-------\Legacy_ADBLOCK.DLL
-------\Legacy_ARP.DLL
-------\Legacy_CONTENT.DLL
-------\Legacy_DNSCACHE.DLL
-------\Legacy_FTPFILT.DLL
-------\Legacy_HTMLFILT.DLL
-------\Legacy_HTTPFILT.DLL
-------\Legacy_IMAPFILT.DLL
-------\Legacy_MAILFILT.DLL
-------\Legacy_NNTPFILT.DLL
-------\Legacy_OutpostFirewall
-------\Legacy_POP3FILT.DLL
-------\Legacy_PROTECT.DLL
-------\Legacy_SandBox
-------\Legacy_SECRET.DLL
-------\Legacy_VFILT
-------\Service_ADBLOCK.DLL
-------\Service_ARP.DLL
-------\Service_CONTENT.DLL
-------\Service_DNSCACHE.DLL
-------\Service_FTPFILT.DLL
-------\Service_HTMLFILT.DLL
-------\Service_HTTPFILT.DLL
-------\Service_IMAPFILT.DLL
-------\Service_MAILFILT.DLL
-------\Service_NNTPFILT.DLL
-------\Service_OutpostFirewall
-------\Service_POP3FILT.DLL
-------\Service_PROTECT.DLL
-------\Service_SandBox
-------\Service_SECRET.DLL
-------\Service_VFILT


((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 02:51 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-06-15 16:15 . 2010-06-15 16:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-06-14 10:45 . 2010-06-14 10:45 -------- d-----w- c:\program files\Trend Micro
2010-06-09 11:59 . 2007-08-31 17:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-06-09 11:59 . 2007-08-31 17:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-06-09 11:59 . 2004-12-07 15:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-06-09 11:59 . 1999-11-22 20:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-06-09 11:59 . 1999-11-22 20:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-06-09 11:59 . 2010-06-09 12:04 -------- d-----w- c:\program files\WinUtilities
2010-06-09 11:42 . 2010-06-09 11:42 -------- d-----w- c:\program files\CCleaner
2010-06-09 04:37 . 2010-06-09 04:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2010-06-08 10:42 . 2010-06-08 10:42 -------- d-----w- c:\program files\Firaxis Games
2010-06-05 12:30 . 2010-06-05 12:30 -------- d-----w- c:\program files\Microsoft Games
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\WON
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\Sierra On-Line
2010-06-05 08:41 . 2010-06-05 08:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-05 06:42 . 2010-06-05 06:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 03:47 . 2010-02-06 05:01 -------- d-----w- c:\program files\Chameleon Clock
2010-06-20 03:36 . 2010-02-03 08:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-20 03:36 . 2009-12-21 08:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-20 03:36 . 2008-12-15 08:31 -------- d-----w- c:\program files\PeerGuardian2
2010-06-20 03:36 . 2004-04-24 06:22 -------- d-----w- c:\program files\Say the Time
2010-06-20 03:36 . 2003-12-05 23:23 -------- d-----w- c:\program files\QuickTime
2010-06-16 19:30 . 2010-02-03 09:05 -------- d-----w- c:\program files\McAfee
2010-06-16 13:13 . 2008-07-22 09:06 -------- d-----w- c:\program files\ESET
2010-06-14 14:19 . 2003-12-05 19:48 48976 ----a-w- c:\documents and settings\The Dragon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 12:19 . 2010-02-03 03:13 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 07:14 . 2008-10-01 11:27 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-13 05:14 . 2010-02-03 03:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-09 11:52 . 2009-07-14 04:33 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Media Player Classic
2010-06-09 11:51 . 2005-11-03 20:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Azureus
2010-06-08 11:51 . 2003-12-03 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 04:57 . 2010-04-18 01:09 -------- d-----w- c:\documents and settings\The Dragon\Application Data\uTorrent
2010-06-05 02:14 . 2008-08-11 11:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-12 16:29 . 2003-12-05 21:21 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-03 19:11 . 2010-05-02 19:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Winamp
2010-05-02 19:17 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp
2010-05-02 19:16 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp Detect
2010-05-02 19:05 . 2007-03-15 04:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 13:08 . 2010-04-18 01:09 -------- d-----w- c:\program files\uTorrent
2010-04-30 09:54 . 2010-04-30 09:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 08:23 . 2010-02-03 03:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-30 08:05 . 2010-04-30 08:02 -------- d-----w- c:\documents and settings\The Dragon\Application Data\QuickScan
2010-04-30 05:27 . 2010-04-30 05:27 0 ----a-w- c:\windows\Gtesuvimu.bin
2010-04-30 05:27 . 2010-04-30 05:27 120 ----a-w- c:\windows\Mhoxevoganidesu.dat
2010-04-29 20:39 . 2010-04-30 09:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-04-30 09:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-01 23:54 . 2010-04-01 23:54 106 ----a-w- c:\windows\system32\desktop8.dat
2010-02-03 06:40 . 2010-02-03 06:40 4 ----a-w- c:\program files\978484.dat
2010-02-02 01:06 . 2010-02-02 01:06 4 ----a-w- c:\program files\206046.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2007-12-11 709632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INICommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INIStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^ePrompter.lnk]
backup=c:\windows\pss\ePrompter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 01:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 13:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\superantispyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-04-30 09:11 321328 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-03-07 01:08 3558136 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/3/2010 4:09 AM 93320]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [4/12/2004 5:39 PM 36224]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 5:05 AM 135664]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/17/2006 4:31 PM 639224]
.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.runescape.com/title.ws
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\The Dragon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 22:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269095022-213562631-4004672536-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:49,11,e5,43,bd,9e,16,9d,c5,6d,0d,be,eb,82,3b,52,fd,70,86,2b,86,a1,05,
b4,f1,d4,ab,bf,ec,d7,9f,1c,9c,ca,2f,d4,ef,6c,f7,fb,59,89,59,7a,a8,18,e7,b1,\
"??"=hex:e6,6a,a3,1c,fa,72,01,e3,3c,21,d6,00,54,d0,25,36

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-06-19 22:59:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 03:59
ComboFix2.txt 2010-06-20 02:38
ComboFix3.txt 2010-04-30 09:24

Pre-Run: 10,630,578,176 bytes free
Post-Run: 10,604,769,280 bytes free

- - End Of File - - 1C47A71A64E0D585FE1B9BC521B662A4

Edited by DragonMyth36, 20 June 2010 - 12:56 AM.

    Advertisements

Register to Remove

#17 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 June 2010 - 05:10 AM

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

To be on the safe side, I would also change all my passwords.



Here's my usual all clean post

Log looks good :D


This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#18 DragonMyth36

DragonMyth36

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 20 June 2010 - 06:16 AM

Once again , thank you so very much for the help and your time. :D

#19 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 June 2010 - 08:42 AM

You're more than welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#20 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 June 2010 - 08:42 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·