microsoft and antivirus websites not opening [Solved]
#1
Posted 29 July 2009 - 04:48 AM
#2
Posted 29 July 2009 - 04:49 AM
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
- Double click on combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" for further review.
#3
Posted 29 July 2009 - 05:22 AM
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.631.471 [GMT 5.5:30]
Running from: c:\documents and settings\a\Desktop\Combo-Fix.exe
AV: Total Security 10.00 *On-access scanning enabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\Installer\WMEncoder.msi
.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.
2009-07-29 10:27 . 2009-07-29 10:27 -------- d-----w- C:\Rooter$
2009-07-28 09:43 . 2009-07-28 09:43 -------- d-----w- c:\windows\Sun
2009-07-28 09:33 . 2009-07-28 09:33 -------- d-----w- c:\documents and settings\a\Application Data\JonDo
2009-07-28 09:13 . 2009-07-28 09:13 -------- d-----w- c:\program files\JAP
2009-07-28 04:23 . 2009-07-28 04:23 -------- d-sh--w- C:\FOUND.019
2009-07-27 07:11 . 2009-07-27 07:11 -------- d-sh--w- C:\FOUND.018
2009-07-26 10:25 . 2009-07-26 10:25 -------- d-sh--w- C:\FOUND.017
2009-07-24 05:13 . 2009-07-24 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-07-24 05:12 . 2009-07-24 05:12 -------- d-----w- c:\program files\PopCap Games
2009-07-22 12:51 . 2009-07-22 12:51 -------- d-----w- c:\windows\system32\Lang
2009-07-22 12:35 . 2009-07-22 12:35 -------- d-sh--w- C:\FOUND.016
2009-07-22 03:50 . 2009-07-22 03:50 -------- d-sh--w- C:\FOUND.015
2009-07-21 07:55 . 2009-07-21 07:55 -------- d-----w- c:\documents and settings\a\Local Settings\Application Data\The Weather Channel
2009-07-17 07:15 . 2009-07-17 07:15 -------- d-sh--w- C:\FOUND.014
2009-07-17 04:15 . 2009-07-17 04:15 -------- d-sh--w- C:\FOUND.013
2009-07-16 06:13 . 2009-07-16 06:13 -------- d-----w- c:\documents and settings\a\Application Data\ARGELA
2009-07-15 06:57 . 2009-07-15 06:57 -------- d--h--r- C:\MSOCache
2009-07-15 05:01 . 2009-07-15 05:01 -------- d-sh--w- C:\FOUND.012
2009-07-14 15:50 . 2009-07-14 15:50 -------- d-----w- c:\program files\Realtek AC97
2009-07-14 15:49 . 2005-05-02 19:43 69632 ----a-w- c:\windows\Alcmtr.exe
2009-07-14 15:49 . 2006-05-03 17:26 2808832 ----a-w- c:\windows\alcwzrd.exe
2009-07-14 15:49 . 2006-09-11 17:58 16264192 ----a-w- c:\windows\RTHDCPL.exe
2009-07-14 15:49 . 2006-09-11 16:12 2155008 ----a-w- c:\windows\MicCal.exe
2009-07-14 15:49 . 2006-05-15 19:04 2879488 ----a-w- c:\windows\SkyTel.exe
2009-07-14 15:49 . 2009-07-14 15:49 -------- d-----w- c:\windows\system32\RTCOM
2009-07-14 15:49 . 2006-08-31 15:35 364544 ----a-w- c:\windows\RtlUpd.exe
2009-07-14 15:49 . 2006-05-03 17:35 9709568 ----a-w- c:\windows\RTLCPL.exe
2009-07-14 15:49 . 2005-07-15 11:18 40960 ----a-w- c:\windows\system32\ChCfg.exe
2009-07-14 15:49 . 2006-09-11 20:27 4381184 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys
2009-07-14 15:47 . 2009-07-14 15:47 -------- d-----w- c:\program files\Realtek
2009-07-14 15:47 . 2006-09-11 15:34 499712 ----a-w- c:\windows\RtlExUpd.dll
2009-07-13 15:20 . 2009-07-13 15:20 -------- d-----w- C:\DriveKey
2009-07-12 05:53 . 2009-07-12 05:53 -------- d-sh--w- C:\FOUND.011
2009-07-09 04:33 . 2009-07-09 04:33 28664 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2009-07-09 04:32 . 2009-07-09 04:33 65024 ----a-w- c:\windows\system32\drivers\catflt.sys
2009-07-06 11:56 . 2005-07-22 09:30 81920 ----a-w- c:\windows\SoundMan.exe
2009-07-06 11:56 . 2004-09-07 08:53 156672 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-07-06 11:13 . 2005-07-22 09:29 10458112 ----a-w- c:\windows\system32\RTLCPL.EXE
2009-07-06 11:03 . 2009-07-06 11:03 -------- d-----w- c:\program files\Intel
2009-07-06 05:46 . 2001-12-31 18:29 312 ----a-w- c:\windows\system32\drivers\HDACfg.dat
2009-07-06 05:45 . 2004-11-18 05:12 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-04 13:04 . 2009-07-04 13:04 -------- d-sh--w- C:\FOUND.010
2009-07-04 08:47 . 2009-07-04 08:47 -------- d-sh--w- C:\FOUND.009
2009-07-04 05:36 . 2009-07-04 05:36 0 ----a-w- c:\windows\nsreg.dat
2009-07-04 05:36 . 2009-07-04 05:36 -------- d-----w- c:\documents and settings\a\Local Settings\Application Data\Mozilla
2009-07-04 01:59 . 2009-07-04 01:59 -------- d-sh--w- C:\FOUND.008
2009-07-03 16:09 . 2009-07-03 16:09 -------- d-----w- c:\documents and settings\a\Application Data\BitTorrent
2009-07-03 16:08 . 2009-07-03 16:09 -------- d-----w- c:\program files\BitTorrent
2009-07-03 16:08 . 2009-07-03 16:08 -------- d-----w- c:\program files\AskSearch
2009-07-03 04:40 . 2009-07-03 04:40 -------- d-sh--w- C:\FOUND.007
2009-07-02 11:48 . 2009-07-02 11:48 -------- d-sh--w- C:\FOUND.006
2009-07-02 10:54 . 2009-07-02 10:54 -------- d-----w- c:\documents and settings\a\Application Data\ESTSoft
2009-07-02 10:24 . 2005-07-26 11:33 3644032 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-02 10:24 . 2004-02-24 05:38 400384 ----a-w- c:\windows\system32\drivers\ALCXSENS.SYS
2009-07-02 10:24 . 2005-06-02 11:13 200704 ----a-w- c:\windows\alcrmv.exe
2009-07-02 10:24 . 2005-06-02 11:01 294912 ----a-w- c:\windows\alcupd.exe
2009-07-02 08:46 . 2009-07-02 08:46 -------- d-----w- c:\windows\system32\DRVSTORE
2009-07-02 04:05 . 2009-07-02 04:05 -------- d-sh--w- C:\FOUND.005
2009-07-01 11:40 . 2009-07-01 11:40 -------- d-sh--w- C:\FOUND.004
2009-07-01 04:27 . 2009-07-01 04:27 -------- d-sh--w- C:\FOUND.003
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 05:59 . 2009-07-26 05:59 2215936 ----a-w- c:\documents and settings\a\ntuser.tmp
2009-07-04 15:23 . 2009-07-04 15:23 10528768 ----a-w- c:\windows\system32\SET72.tmp
2009-07-01 06:17 . 2009-06-23 01:53 65144 ----a-w- c:\documents and settings\a\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 04:18 . 2009-06-28 04:17 -------- d-----w- c:\program files\Windows Media Components
2009-06-28 04:17 . 2009-06-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Huelix Solutions
2009-06-27 20:25 . 2009-06-27 20:21 79051 ----a-w- c:\windows\hpfins05.dat
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\program files\Common Files\HP
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-27 20:21 . 2009-06-27 20:21 -------- d-----w- c:\program files\HP
2009-06-27 20:13 . 2009-06-27 20:13 -------- d-----w- c:\documents and settings\a\Application Data\HP
2009-06-25 05:09 . 2009-06-25 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-24 10:57 . 2009-06-24 10:57 -------- d-----w- c:\program files\Quick Heal
2009-06-24 10:55 . 2009-06-24 10:55 -------- d-----w- c:\program files\Google
2009-06-24 09:40 . 2009-06-24 09:40 -------- d-----w- c:\program files\ESTsoft
2009-06-24 09:28 . 2009-06-24 09:28 -------- d-----w- c:\program files\directx
2009-06-23 15:08 . 2009-06-23 15:08 -------- d-----w- c:\documents and settings\a\Application Data\vlc
2009-06-23 13:45 . 2009-06-23 13:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 13:45 . 2009-06-23 13:45 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 06:15 . 2009-06-23 01:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-23 02:11 . 2009-06-23 02:11 10968576 ----a-r- c:\windows\system32\SET11C.tmp
2009-06-23 02:11 . 2009-06-23 02:11 4114400 ----a-r- c:\windows\system32\drivers\SET118.tmp
2009-06-23 01:58 . 2009-06-23 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-23 01:57 . 2009-06-23 01:57 -------- d-----w- c:\program files\Yahoo!
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Java
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Common Files\Java
2009-06-23 01:52 . 2009-06-23 01:52 88064 ----a-w- c:\windows\system32\AudioExCtl.dll
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Mjuice Media Player
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Winamp
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\VideoLAN
2009-06-23 01:51 . 2009-06-23 01:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-23 01:51 . 2009-06-23 01:51 -------- d-----w- c:\documents and settings\a\Application Data\InterTrust
2009-06-23 01:42 . 2009-06-23 01:42 -------- d-----w- c:\program files\Common Files\L&H
2009-06-23 01:41 . 2009-06-23 01:41 -------- d-----w- c:\program files\Microsoft.NET
2009-06-23 01:41 . 2009-06-23 01:41 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-23 01:40 . 2009-06-23 01:40 -------- d-----w- c:\program files\Microsoft Works
2009-06-23 01:20 . 2009-06-23 01:20 -------- d-----w- c:\program files\microsoft frontpage
2009-06-23 01:16 . 2009-06-23 01:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-17 12:37 . 2009-07-04 05:36 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2004-08-03 14:56 . 2004-08-03 14:56 174326 --sh--r- c:\windows\system32\lvkjwi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Email Protection"="c:\progra~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE" [2009-07-09 267648]
"Update Scheduler"="c:\progra~1\QUICKH~1\QUICKH~1\UPSCHD.EXE" [2009-07-09 95616]
"On-Line Protection"="c:\progra~1\QUICKH~1\QUICKH~1\cateye.exe" [2009-07-09 206208]
"Startup Scan"="c:\progra~1\QUICKH~1\QUICKH~1\Sensor.EXE" [2009-07-09 144768]
"ResumeQuickupDownload"="c:\progra~1\QUICKH~1\QUICKH~1\acappaa.exe" [2009-07-09 95616]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9f727759f6d5c"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6763:TCP"= 6763:TCP:wccee
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [7/9/2009 10:02 AM 65024]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [7/9/2009 10:03 AM 28664]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [6/23/2009 7:15 PM 18004]
S2 Online Protection System;Online Protection System;c:\progra~1\QUICKH~1\QUICKH~1\opssvc.exe [7/9/2009 10:02 AM 17280]
S2 Quick Heal Total Security Mail Protection;Quick Heal Total Security Mail Protection;c:\progra~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [7/9/2009 10:02 AM 50560]
S2 Quick Update Service;Quick Update Service;c:\progra~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [7/9/2009 10:02 AM 58752]
S2 rlqhrqgnb;Server Config;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 8:26 PM 14336]
S2 Startup Handler;Quick Heal Total Security Startup Handler;c:\progra~1\QUICKH~1\QUICKH~1\strtsvc.exe [7/9/2009 10:02 AM 54656]
S4 gupdate1c9f727759f6d5c;Google Update Service (gupdate1c9f727759f6d5c);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2009 6:31 PM 133104]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
rlqhrqgnb
.
Contents of the 'Scheduled Tasks' folder
2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 12:57]
2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 12:57]
2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1229272821-725345543-1003Core.job
- c:\documents and settings\a\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 14:52]
2009-07-24 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-07-24 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\a\Application Data\Mozilla\Firefox\Profiles\9vugicid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - plugin: c:\documents and settings\a\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 16:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rlqhrqgnb]
"ServiceDll"="c:\windows\system32\lvkjwi.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\l3codeca.acm
.
Completion time: 2009-07-29 16:48
ComboFix-quarantined-files.txt 2009-07-29 11:18
Pre-Run: 6,942,736,384 bytes free
Post-Run: 7,243,341,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
268
Attached Files
#4
Posted 29 July 2009 - 07:01 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\program files\JAP
Folder::
C:\FOUND.019
C:\FOUND.018
C:\FOUND.017
C:\FOUND.016
C:\FOUND.015
C:\FOUND.014
C:\FOUND.013
C:\FOUND.012
C:\FOUND.011
C:\FOUND.010
C:\FOUND.009
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
File::
c:\windows\system32\SET72.tmp
c:\windows\system32\SET11C.tmp
c:\windows\system32\drivers\SET118.tmp
c:\windows\system32\lvkjwi.dll
Driver::
rlqhrqgnb
NetSvc::
rlqhrqgnb
KillAll::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#5
Posted 29 July 2009 - 08:30 AM
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.631.470 [GMT 5.5:30]
Running from: c:\documents and settings\a\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\a\Desktop\CFScript.txt
AV: Total Security 10.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
* Created a new restore point
FILE ::
"c:\windows\system32\drivers\SET118.tmp"
"c:\windows\system32\lvkjwi.dll"
"c:\windows\system32\SET11C.tmp"
"c:\windows\system32\SET72.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\FOUND.003
c:\found.003\FILE0000.CHK
c:\found.003\FILE0001.CHK
C:\FOUND.004
c:\found.004\FILE0000.CHK
c:\found.004\FILE0001.CHK
c:\found.004\FILE0002.CHK
c:\found.004\FILE0003.CHK
c:\found.004\FILE0004.CHK
c:\found.004\FILE0005.CHK
c:\found.004\FILE0006.CHK
c:\found.004\FILE0007.CHK
c:\found.004\FILE0008.CHK
c:\found.004\FILE0009.CHK
C:\FOUND.005
c:\found.005\FILE0000.CHK
c:\found.005\FILE0001.CHK
C:\FOUND.006
c:\found.006\FILE0000.CHK
c:\found.006\FILE0001.CHK
c:\found.006\FILE0002.CHK
C:\FOUND.007
c:\found.007\FILE0000.CHK
c:\found.007\FILE0001.CHK
c:\found.007\FILE0002.CHK
c:\found.007\FILE0003.CHK
c:\found.007\FILE0004.CHK
c:\found.007\FILE0005.CHK
c:\found.007\FILE0006.CHK
c:\found.007\FILE0007.CHK
C:\FOUND.008
c:\found.008\FILE0000.CHK
c:\found.008\FILE0001.CHK
c:\found.008\FILE0002.CHK
c:\found.008\FILE0003.CHK
c:\found.008\FILE0004.CHK
c:\found.008\FILE0005.CHK
C:\FOUND.009
c:\found.009\FILE0000.CHK
c:\found.009\FILE0001.CHK
c:\found.009\FILE0002.CHK
c:\found.009\FILE0003.CHK
C:\FOUND.010
c:\found.010\FILE0000.CHK
c:\found.010\FILE0001.CHK
C:\FOUND.011
c:\found.011\FILE0000.CHK
c:\found.011\FILE0001.CHK
c:\found.011\FILE0002.CHK
c:\found.011\FILE0003.CHK
c:\found.011\FILE0004.CHK
c:\found.011\FILE0005.CHK
c:\found.011\FILE0006.CHK
c:\found.011\FILE0007.CHK
c:\found.011\FILE0008.CHK
c:\found.011\FILE0009.CHK
c:\found.011\FILE0010.CHK
c:\found.011\FILE0011.CHK
c:\found.011\FILE0012.CHK
c:\found.011\FILE0013.CHK
c:\found.011\FILE0014.CHK
c:\found.011\FILE0015.CHK
c:\found.011\FILE0016.CHK
c:\found.011\FILE0017.CHK
c:\found.011\FILE0018.CHK
c:\found.011\FILE0019.CHK
c:\found.011\FILE0020.CHK
c:\found.011\FILE0021.CHK
c:\found.011\FILE0022.CHK
c:\found.011\FILE0023.CHK
c:\found.011\FILE0024.CHK
c:\found.011\FILE0025.CHK
c:\found.011\FILE0026.CHK
c:\found.011\FILE0027.CHK
c:\found.011\FILE0028.CHK
c:\found.011\FILE0029.CHK
c:\found.011\FILE0030.CHK
c:\found.011\FILE0031.CHK
c:\found.011\FILE0032.CHK
c:\found.011\FILE0033.CHK
c:\found.011\FILE0034.CHK
C:\FOUND.012
c:\found.012\FILE0000.CHK
c:\found.012\FILE0001.CHK
c:\found.012\FILE0002.CHK
c:\found.012\FILE0003.CHK
c:\found.012\FILE0004.CHK
c:\found.012\FILE0005.CHK
c:\found.012\FILE0006.CHK
c:\found.012\FILE0007.CHK
c:\found.012\FILE0008.CHK
c:\found.012\FILE0009.CHK
c:\found.012\FILE0010.CHK
c:\found.012\FILE0011.CHK
c:\found.012\FILE0012.CHK
c:\found.012\FILE0013.CHK
c:\found.012\FILE0014.CHK
c:\found.012\FILE0015.CHK
c:\found.012\FILE0016.CHK
c:\found.012\FILE0017.CHK
c:\found.012\FILE0018.CHK
c:\found.012\FILE0019.CHK
c:\found.012\FILE0020.CHK
c:\found.012\FILE0021.CHK
c:\found.012\FILE0022.CHK
c:\found.012\FILE0023.CHK
c:\found.012\FILE0024.CHK
c:\found.012\FILE0025.CHK
c:\found.012\FILE0026.CHK
c:\found.012\FILE0027.CHK
c:\found.012\FILE0028.CHK
c:\found.012\FILE0029.CHK
c:\found.012\FILE0030.CHK
c:\found.012\FILE0031.CHK
c:\found.012\FILE0032.CHK
c:\found.012\FILE0033.CHK
c:\found.012\FILE0034.CHK
c:\found.012\FILE0035.CHK
c:\found.012\FILE0036.CHK
c:\found.012\FILE0037.CHK
c:\found.012\FILE0038.CHK
c:\found.012\FILE0039.CHK
c:\found.012\FILE0040.CHK
c:\found.012\FILE0041.CHK
C:\FOUND.013
c:\found.013\FILE0000.CHK
c:\found.013\FILE0001.CHK
c:\found.013\FILE0002.CHK
c:\found.013\FILE0003.CHK
c:\found.013\FILE0004.CHK
c:\found.013\FILE0005.CHK
C:\FOUND.014
c:\found.014\FILE0000.CHK
C:\FOUND.015
c:\found.015\FILE0000.CHK
c:\found.015\FILE0001.CHK
c:\found.015\FILE0002.CHK
c:\found.015\FILE0003.CHK
c:\found.015\FILE0004.CHK
c:\found.015\FILE0005.CHK
c:\found.015\FILE0006.CHK
c:\found.015\FILE0007.CHK
c:\found.015\FILE0008.CHK
c:\found.015\FILE0009.CHK
c:\found.015\FILE0010.CHK
c:\found.015\FILE0011.CHK
c:\found.015\FILE0012.CHK
c:\found.015\FILE0013.CHK
c:\found.015\FILE0014.CHK
c:\found.015\FILE0015.CHK
c:\found.015\FILE0016.CHK
c:\found.015\FILE0017.CHK
c:\found.015\FILE0018.CHK
c:\found.015\FILE0019.CHK
c:\found.015\FILE0020.CHK
c:\found.015\FILE0021.CHK
c:\found.015\FILE0022.CHK
c:\found.015\FILE0023.CHK
c:\found.015\FILE0024.CHK
c:\found.015\FILE0025.CHK
c:\found.015\FILE0026.CHK
c:\found.015\FILE0027.CHK
c:\found.015\FILE0028.CHK
c:\found.015\FILE0029.CHK
c:\found.015\FILE0030.CHK
c:\found.015\FILE0031.CHK
c:\found.015\FILE0032.CHK
c:\found.015\FILE0033.CHK
c:\found.015\FILE0034.CHK
c:\found.015\FILE0035.CHK
c:\found.015\FILE0036.CHK
c:\found.015\FILE0037.CHK
c:\found.015\FILE0038.CHK
c:\found.015\FILE0039.CHK
c:\found.015\FILE0040.CHK
c:\found.015\FILE0041.CHK
c:\found.015\FILE0042.CHK
c:\found.015\FILE0043.CHK
c:\found.015\FILE0044.CHK
c:\found.015\FILE0045.CHK
c:\found.015\FILE0046.CHK
c:\found.015\FILE0047.CHK
c:\found.015\FILE0048.CHK
c:\found.015\FILE0049.CHK
c:\found.015\FILE0050.CHK
c:\found.015\FILE0051.CHK
c:\found.015\FILE0052.CHK
c:\found.015\FILE0053.CHK
c:\found.015\FILE0054.CHK
c:\found.015\FILE0055.CHK
c:\found.015\FILE0056.CHK
c:\found.015\FILE0057.CHK
c:\found.015\FILE0058.CHK
c:\found.015\FILE0059.CHK
c:\found.015\FILE0060.CHK
c:\found.015\FILE0061.CHK
c:\found.015\FILE0062.CHK
c:\found.015\FILE0063.CHK
c:\found.015\FILE0064.CHK
c:\found.015\FILE0065.CHK
c:\found.015\FILE0066.CHK
c:\found.015\FILE0067.CHK
c:\found.015\FILE0068.CHK
c:\found.015\FILE0069.CHK
c:\found.015\FILE0070.CHK
c:\found.015\FILE0071.CHK
c:\found.015\FILE0072.CHK
c:\found.015\FILE0073.CHK
c:\found.015\FILE0074.CHK
c:\found.015\FILE0075.CHK
c:\found.015\FILE0076.CHK
c:\found.015\FILE0077.CHK
c:\found.015\FILE0078.CHK
c:\found.015\FILE0079.CHK
c:\found.015\FILE0080.CHK
c:\found.015\FILE0081.CHK
c:\found.015\FILE0082.CHK
c:\found.015\FILE0083.CHK
c:\found.015\FILE0084.CHK
c:\found.015\FILE0085.CHK
c:\found.015\FILE0086.CHK
c:\found.015\FILE0087.CHK
c:\found.015\FILE0088.CHK
c:\found.015\FILE0089.CHK
c:\found.015\FILE0090.CHK
c:\found.015\FILE0091.CHK
c:\found.015\FILE0092.CHK
c:\found.015\FILE0093.CHK
c:\found.015\FILE0094.CHK
c:\found.015\FILE0095.CHK
c:\found.015\FILE0096.CHK
c:\found.015\FILE0097.CHK
c:\found.015\FILE0098.CHK
c:\found.015\FILE0099.CHK
c:\found.015\FILE0100.CHK
c:\found.015\FILE0101.CHK
c:\found.015\FILE0102.CHK
c:\found.015\FILE0103.CHK
c:\found.015\FILE0104.CHK
c:\found.015\FILE0105.CHK
c:\found.015\FILE0106.CHK
c:\found.015\FILE0107.CHK
c:\found.015\FILE0108.CHK
c:\found.015\FILE0109.CHK
c:\found.015\FILE0110.CHK
c:\found.015\FILE0111.CHK
c:\found.015\FILE0112.CHK
c:\found.015\FILE0113.CHK
c:\found.015\FILE0114.CHK
c:\found.015\FILE0115.CHK
c:\found.015\FILE0116.CHK
c:\found.015\FILE0117.CHK
c:\found.015\FILE0118.CHK
c:\found.015\FILE0119.CHK
c:\found.015\FILE0120.CHK
c:\found.015\FILE0121.CHK
c:\found.015\FILE0122.CHK
c:\found.015\FILE0123.CHK
c:\found.015\FILE0124.CHK
c:\found.015\FILE0125.CHK
c:\found.015\FILE0126.CHK
c:\found.015\FILE0127.CHK
c:\found.015\FILE0128.CHK
c:\found.015\FILE0129.CHK
c:\found.015\FILE0130.CHK
c:\found.015\FILE0131.CHK
c:\found.015\FILE0132.CHK
c:\found.015\FILE0133.CHK
c:\found.015\FILE0134.CHK
c:\found.015\FILE0135.CHK
c:\found.015\FILE0136.CHK
c:\found.015\FILE0137.CHK
c:\found.015\FILE0138.CHK
c:\found.015\FILE0139.CHK
c:\found.015\FILE0140.CHK
c:\found.015\FILE0141.CHK
c:\found.015\FILE0142.CHK
c:\found.015\FILE0143.CHK
c:\found.015\FILE0144.CHK
c:\found.015\FILE0145.CHK
c:\found.015\FILE0146.CHK
c:\found.015\FILE0147.CHK
c:\found.015\FILE0148.CHK
c:\found.015\FILE0149.CHK
c:\found.015\FILE0150.CHK
c:\found.015\FILE0151.CHK
c:\found.015\FILE0152.CHK
c:\found.015\FILE0153.CHK
c:\found.015\FILE0154.CHK
c:\found.015\FILE0155.CHK
c:\found.015\FILE0156.CHK
c:\found.015\FILE0157.CHK
c:\found.015\FILE0158.CHK
c:\found.015\FILE0159.CHK
c:\found.015\FILE0160.CHK
c:\found.015\FILE0161.CHK
c:\found.015\FILE0162.CHK
c:\found.015\FILE0163.CHK
c:\found.015\FILE0164.CHK
c:\found.015\FILE0165.CHK
C:\FOUND.016
c:\found.016\FILE0000.CHK
c:\found.016\FILE0001.CHK
C:\FOUND.017
c:\found.017\FILE0000.CHK
c:\found.017\FILE0001.CHK
c:\found.017\FILE0002.CHK
c:\found.017\FILE0003.CHK
c:\found.017\FILE0004.CHK
c:\found.017\FILE0005.CHK
c:\found.017\FILE0006.CHK
c:\found.017\FILE0007.CHK
c:\found.017\FILE0008.CHK
c:\found.017\FILE0009.CHK
c:\found.017\FILE0010.CHK
c:\found.017\FILE0011.CHK
c:\found.017\FILE0012.CHK
c:\found.017\FILE0013.CHK
c:\found.017\FILE0014.CHK
c:\found.017\FILE0015.CHK
c:\found.017\FILE0016.CHK
c:\found.017\FILE0017.CHK
c:\found.017\FILE0018.CHK
c:\found.017\FILE0019.CHK
c:\found.017\FILE0020.CHK
c:\found.017\FILE0021.CHK
c:\found.017\FILE0022.CHK
c:\found.017\FILE0023.CHK
c:\found.017\FILE0024.CHK
c:\found.017\FILE0025.CHK
c:\found.017\FILE0026.CHK
c:\found.017\FILE0027.CHK
C:\FOUND.018
c:\found.018\FILE0000.CHK
c:\found.018\FILE0001.CHK
c:\found.018\FILE0002.CHK
c:\found.018\FILE0003.CHK
C:\FOUND.019
c:\found.019\FILE0000.CHK
c:\found.019\FILE0001.CHK
c:\found.019\FILE0002.CHK
c:\found.019\FILE0003.CHK
c:\found.019\FILE0004.CHK
c:\windows\system32\drivers\SET118.tmp
c:\windows\system32\lvkjwi.dll
c:\windows\system32\SET11C.tmp
c:\windows\system32\SET72.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RLQHRQGNB
-------\Service_rlqhrqgnb
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.
2009-07-29 10:27 . 2009-07-29 10:27 -------- d-----w- C:\Rooter$
2009-07-28 09:43 . 2009-07-28 09:43 -------- d-----w- c:\windows\Sun
2009-07-28 09:33 . 2009-07-28 09:33 -------- d-----w- c:\documents and settings\a\Application Data\JonDo
2009-07-28 09:13 . 2009-07-28 09:13 -------- d-----w- c:\program files\JAP
2009-07-24 05:13 . 2009-07-24 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-07-24 05:12 . 2009-07-24 05:12 -------- d-----w- c:\program files\PopCap Games
2009-07-22 12:51 . 2009-07-22 12:51 -------- d-----w- c:\windows\system32\Lang
2009-07-21 07:55 . 2009-07-21 07:55 -------- d-----w- c:\documents and settings\a\Local Settings\Application Data\The Weather Channel
2009-07-16 06:13 . 2009-07-16 06:13 -------- d-----w- c:\documents and settings\a\Application Data\ARGELA
2009-07-15 06:57 . 2009-07-15 06:57 -------- d--h--r- C:\MSOCache
2009-07-14 15:50 . 2009-07-14 15:50 -------- d-----w- c:\program files\Realtek AC97
2009-07-14 15:49 . 2005-05-02 19:43 69632 ----a-w- c:\windows\Alcmtr.exe
2009-07-14 15:49 . 2006-05-03 17:26 2808832 ----a-w- c:\windows\alcwzrd.exe
2009-07-14 15:49 . 2006-09-11 17:58 16264192 ----a-w- c:\windows\RTHDCPL.exe
2009-07-14 15:49 . 2006-09-11 16:12 2155008 ----a-w- c:\windows\MicCal.exe
2009-07-14 15:49 . 2006-05-15 19:04 2879488 ----a-w- c:\windows\SkyTel.exe
2009-07-14 15:49 . 2009-07-14 15:49 -------- d-----w- c:\windows\system32\RTCOM
2009-07-14 15:49 . 2006-08-31 15:35 364544 ----a-w- c:\windows\RtlUpd.exe
2009-07-14 15:49 . 2006-05-03 17:35 9709568 ----a-w- c:\windows\RTLCPL.exe
2009-07-14 15:49 . 2005-07-15 11:18 40960 ----a-w- c:\windows\system32\ChCfg.exe
2009-07-14 15:49 . 2006-09-11 20:27 4381184 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys
2009-07-14 15:47 . 2009-07-14 15:47 -------- d-----w- c:\program files\Realtek
2009-07-14 15:47 . 2006-09-11 15:34 499712 ----a-w- c:\windows\RtlExUpd.dll
2009-07-13 15:20 . 2009-07-13 15:20 -------- d-----w- C:\DriveKey
2009-07-09 04:33 . 2009-07-09 04:33 28664 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2009-07-09 04:32 . 2009-07-09 04:33 65024 ----a-w- c:\windows\system32\drivers\catflt.sys
2009-07-06 11:56 . 2005-07-22 09:30 81920 ----a-w- c:\windows\SoundMan.exe
2009-07-06 11:56 . 2004-09-07 08:53 156672 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-07-06 11:13 . 2005-07-22 09:29 10458112 ----a-w- c:\windows\system32\RTLCPL.EXE
2009-07-06 11:03 . 2009-07-06 11:03 -------- d-----w- c:\program files\Intel
2009-07-06 05:46 . 2001-12-31 18:29 312 ----a-w- c:\windows\system32\drivers\HDACfg.dat
2009-07-06 05:45 . 2004-11-18 05:12 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-04 05:36 . 2009-07-04 05:36 0 ----a-w- c:\windows\nsreg.dat
2009-07-04 05:36 . 2009-07-04 05:36 -------- d-----w- c:\documents and settings\a\Local Settings\Application Data\Mozilla
2009-07-03 16:09 . 2009-07-03 16:09 -------- d-----w- c:\documents and settings\a\Application Data\BitTorrent
2009-07-03 16:08 . 2009-07-03 16:09 -------- d-----w- c:\program files\BitTorrent
2009-07-03 16:08 . 2009-07-03 16:08 -------- d-----w- c:\program files\AskSearch
2009-07-02 10:54 . 2009-07-02 10:54 -------- d-----w- c:\documents and settings\a\Application Data\ESTSoft
2009-07-02 10:24 . 2005-07-26 11:33 3644032 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-02 10:24 . 2004-02-24 05:38 400384 ----a-w- c:\windows\system32\drivers\ALCXSENS.SYS
2009-07-02 10:24 . 2005-06-02 11:13 200704 ----a-w- c:\windows\alcrmv.exe
2009-07-02 10:24 . 2005-06-02 11:01 294912 ----a-w- c:\windows\alcupd.exe
2009-07-02 08:46 . 2009-07-02 08:46 -------- d-----w- c:\windows\system32\DRVSTORE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 05:59 . 2009-07-26 05:59 2215936 ----a-w- c:\documents and settings\a\ntuser.tmp
2009-07-01 06:17 . 2009-06-23 01:53 65144 ----a-w- c:\documents and settings\a\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 04:18 . 2009-06-28 04:17 -------- d-----w- c:\program files\Windows Media Components
2009-06-28 04:17 . 2009-06-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Huelix Solutions
2009-06-27 20:25 . 2009-06-27 20:21 79051 ----a-w- c:\windows\hpfins05.dat
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\program files\Common Files\HP
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-27 20:21 . 2009-06-27 20:21 -------- d-----w- c:\program files\HP
2009-06-27 20:13 . 2009-06-27 20:13 -------- d-----w- c:\documents and settings\a\Application Data\HP
2009-06-25 05:09 . 2009-06-25 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-24 10:57 . 2009-06-24 10:57 -------- d-----w- c:\program files\Quick Heal
2009-06-24 10:55 . 2009-06-24 10:55 -------- d-----w- c:\program files\Google
2009-06-24 09:40 . 2009-06-24 09:40 -------- d-----w- c:\program files\ESTsoft
2009-06-24 09:28 . 2009-06-24 09:28 -------- d-----w- c:\program files\directx
2009-06-23 15:08 . 2009-06-23 15:08 -------- d-----w- c:\documents and settings\a\Application Data\vlc
2009-06-23 13:45 . 2009-06-23 13:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 13:45 . 2009-06-23 13:45 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 06:15 . 2009-06-23 01:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-23 01:58 . 2009-06-23 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-23 01:57 . 2009-06-23 01:57 -------- d-----w- c:\program files\Yahoo!
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Java
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Common Files\Java
2009-06-23 01:52 . 2009-06-23 01:52 88064 ----a-w- c:\windows\system32\AudioExCtl.dll
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Mjuice Media Player
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\Winamp
2009-06-23 01:52 . 2009-06-23 01:52 -------- d-----w- c:\program files\VideoLAN
2009-06-23 01:51 . 2009-06-23 01:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-23 01:51 . 2009-06-23 01:51 -------- d-----w- c:\documents and settings\a\Application Data\InterTrust
2009-06-23 01:42 . 2009-06-23 01:42 -------- d-----w- c:\program files\Common Files\L&H
2009-06-23 01:41 . 2009-06-23 01:41 -------- d-----w- c:\program files\Microsoft.NET
2009-06-23 01:41 . 2009-06-23 01:41 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-23 01:40 . 2009-06-23 01:40 -------- d-----w- c:\program files\Microsoft Works
2009-06-23 01:20 . 2009-06-23 01:20 -------- d-----w- c:\program files\microsoft frontpage
2009-06-23 01:16 . 2009-06-23 01:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-24 13:26 . 2009-07-04 05:36 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\JAP ----
2009-07-28 09:33 . 2009-07-28 09:33 64966 ----a-w- c:\program files\JAP\uninstall.exe
2009-07-28 09:33 . 2009-07-28 09:33 35552 ----a-w- c:\program files\JAP\japdll.dll
2009-07-28 09:33 . 2009-07-28 09:33 40608 ----a-w- c:\program files\JAP\jap.exe
2009-07-28 09:13 . 2009-07-28 09:33 8237243 ----a-w- c:\program files\JAP\JAP.jar
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Email Protection"="c:\progra~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE" [2009-07-09 267648]
"Update Scheduler"="c:\progra~1\QUICKH~1\QUICKH~1\UPSCHD.EXE" [2009-07-09 95616]
"On-Line Protection"="c:\progra~1\QUICKH~1\QUICKH~1\cateye.exe" [2009-07-09 206208]
"Startup Scan"="c:\progra~1\QUICKH~1\QUICKH~1\Sensor.EXE" [2009-07-09 144768]
"ResumeQuickupDownload"="c:\progra~1\QUICKH~1\QUICKH~1\acappaa.exe" [2009-07-09 95616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Startup Scan"="c:\progra~1\QUICKH~1\QUICKH~1\Sensor.EXE" [2009-07-09 144768]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9f727759f6d5c"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6763:TCP"= 6763:TCP:wccee
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [7/9/2009 10:02 AM 65024]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [7/9/2009 10:03 AM 28664]
R2 Online Protection System;Online Protection System;c:\progra~1\QUICKH~1\QUICKH~1\opssvc.exe [7/9/2009 10:02 AM 17280]
R2 Quick Heal Total Security Mail Protection;Quick Heal Total Security Mail Protection;c:\progra~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [7/9/2009 10:02 AM 50560]
R2 Quick Update Service;Quick Update Service;c:\progra~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [7/9/2009 10:02 AM 58752]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [6/23/2009 7:15 PM 18004]
S2 Startup Handler;Quick Heal Total Security Startup Handler;c:\progra~1\QUICKH~1\QUICKH~1\strtsvc.exe [7/9/2009 10:02 AM 54656]
S4 gupdate1c9f727759f6d5c;Google Update Service (gupdate1c9f727759f6d5c);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2009 6:31 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 12:57]
2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 12:57]
2009-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1229272821-725345543-1003Core.job
- c:\documents and settings\a\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 14:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\a\Application Data\Mozilla\Firefox\Profiles\9vugicid.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - plugin: c:\documents and settings\a\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 19:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\l3codeca.acm
- - - - - - - > 'explorer.exe'(2364)
c:\windows\system32\l3codeca.acm
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\QUICKH~1\QUICKH~1\scanwscs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\progra~1\QUICKH~1\QUICKH~1\OnlineNT.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-29 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 14:28
ComboFix2.txt 2009-07-29 11:18
Pre-Run: 7,200,792,576 bytes free
Post-Run: 7,093,731,328 bytes free
608
#6
Posted 29 July 2009 - 02:35 PM
Download TFC to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
#7
Posted 30 July 2009 - 12:37 AM
Database version: 2421
Windows 5.1.2600 Service Pack 2
7/30/2009 11:57:14 AM
mbam-log-2009-07-30 (11-57-14).txt
Scan type: Quick Scan
Objects scanned: 65159
Time elapsed: 6 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#8
Posted 30 July 2009 - 12:38 AM
#9
Posted 30 July 2009 - 05:27 AM
Please click here to download AVP Tool by Kaspersky.
- Save it to your desktop.
- Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter. - Double click the setup file to run it.
- Click Next to continue.
- It will by default install it to your desktop folder.Click Next.
- Hit ok at the prompt for scanning in Safe Mode.
- It will then open a box There will be a tab that says Automatic scan.
- Under Automatic scan make sure these are checked.
- System Memory
- Startup Objects
- Disk Boot Sectors.
- My Computer.
- Also any other drives (Removable that you may have)
- Then click on Scan at the to right hand Corner.
- It will automatically Neutralize any objects found.
- If some objects are left unneutralized then click the button that says Neutralize all
- If it says it cannot be Neutralized then chooose The delete option when prompted.
- After that is done click on the reports button at the bottom and save it to file name it Kas.
- Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.
#10
Posted 30 July 2009 - 10:36 PM
Thank you very very very much.......Now my system is live again....
You Rocks
You really rockzzzzzzzzzzzz...
KEEP IT UP
#11
Posted 30 July 2009 - 10:42 PM
THANK YOU VERY MUCH FOR YOUR KIND SUPPORT.
#12
Posted 31 July 2009 - 10:09 AM
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users