Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HTTP Tidserv Request!help! [Solved]

Started by fuff , Jun 21 2010 03:41 PM

  • This topic is locked This topic is locked

#1
fuff
Posted 21 June 2010 - 03:41 PM

fuff

    Member

  • Member
  • PipPip
  • 31 posts
it redirects to sites I'm not searching for expecailly in google also mmy norton keeps poping up with a message saying i have it.
i tried TDSSKiller and got

registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0

also malwarebytes isnt picking it up either!

please help!!! asap!! i wanna get rid of it!
  • 0

Advertisements

#2
fuff
Posted 21 June 2010 - 08:29 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
bump
  • 0

#3
ali.B
Posted 22 June 2010 - 12:50 AM

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#4
fuff
Posted 23 June 2010 - 10:11 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
i shut my norton and then tried combo fix the message i got was: cmd.cfxxe is a corrupt file and file directory c;/conbofix is corrupt and unreadable please run chdsk utility

im trying adware right now hopefully it works
  • 0

#5
fuff
Posted 24 June 2010 - 02:49 AM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
i did combo fix and malware right after just to let u know, i didnt have the THE RECOVERY CONSOLE INSTALLED....is that still okay? cause i ran the scan without it....
  • 0

#6
fuff
Posted 24 June 2010 - 02:51 AM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
here's some of the info:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\USER\msinst.exe
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
C:\test.txt
C:\Thumbs.db
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\wpe pro.INI
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected


is it okay if those got deleted? were they major stuff?
  • 0

#7
ali.B
Posted 24 June 2010 - 01:38 PM

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

could you please post the full log ?

it shall be located in C:\Combofix.txt
  • 0

#8
fuff
Posted 24 June 2010 - 07:11 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
this is the combo fix, has the http tidserv been deleted? i did malware right after and got zero infections :)

ComboFix 10-06-23.02 - User 24/06/2010 0:17.1.1 - x86
Microsoft Windows XP Home Edition
[GMT -8:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\msinst.exe
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
C:\test.txt
C:\Thumbs.db
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\wpe pro.INI
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-24 02:42 . 2010-06-24 02:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 02:41 . 2010-06-24 02:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 02:28 . 2010-06-24 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 19:45 . 2010-06-22 19:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 19:45 . 2010-06-22 19:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-22 08:08 . 2010-06-22 08:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-21 21:42 . 2010-06-21 21:42 -------- d-----w- C:\ComboFix
2010-06-20 07:13 . 2010-06-20 07:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-20 01:32 . 2010-06-20 01:32 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-20 00:12 . 2010-06-20 00:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-20 00:00 . 2010-06-21 22:12 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\dyxopykkt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 07:24 . 2005-09-09 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-24 02:47 . 2005-09-09 23:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-24 02:29 . 2007-04-01 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 02:24 . 2007-12-08 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-22 02:48 . 2010-03-13 11:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 01:04 . 2009-12-14 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 05:56 . 2003-03-03 04:38 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 23:39 . 2010-03-13 11:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 23:39 . 2010-03-13 11:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2003-03-03 04:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20 . 2006-06-23 19:33 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2003-02-19 01:35 . 2005-09-09 23:13 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\xtras\mssysmgr.exe" [2004-11-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2002-10-01 372736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PC-CAM 600 STI App Registration"="PD023pin.dll" [2001-11-11 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2004-08-04 136704]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-10-10 225280]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-16 113664]
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-7-16 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-12 23:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msupdate.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\msupdate.exe
backup=c:\windows\pss\msupdate.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 mrtRate;mrtRate; [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\DRIVERS\libusb0.sys [2005-03-09 33792]
R3 PD023BLK;Creative PC-CAM 600 (Still Image);c:\windows\system32\DRIVERS\PD023blk.sys [2001-11-13 28537]
R3 PD023VID;Creative PC-CAM 600 (Video);c:\windows\system32\DRIVERS\Pd023vid.sys [2001-11-13 435360]
R3 Spdat94;Spdat94; [x]
R3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w550obex.sys [x]
R3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows\system32\DRIVERS\w900bus.sys [x]
R3 w900mgmt;Sony Ericsson 900i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w900mgmt.sys [x]
R3 w900obex;Sony Ericsson 900i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w900obex.sys [x]
S0 d347bus;d347bus;c:\windows\System32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-24 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-24 1352832]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe WUSB300N.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:40]

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2010-06-22 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - User.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5w4s36ev.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.16\NPSceneCaster.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-BlockTracker - c:\hp\bin\BlockTracker.exe
HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
AddRemove-Creative PD0230 - c:\windows\CtDrvIns.exe -uninstall USB\VID_041E&PID_400b&mi_00 -plugin Pd023pin.dll
AddRemove-Destinator PC Portal - c:\program files\LGE PC Portal\Inst.exe \U
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-PS2 - c:\windows\system32\ps2.exe
AddRemove-Sound Clips for Messenger - c:\program files\Sound Clips for Messenger\Uninstall.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE
AddRemove-{28BA89E7-2F60-4BE7-BAA2-7949EB3FE527} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{3EA6838C-5C34-4F9C-A8DA-434D65DD1356} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{4F0AE1FB-4082-4A27-8363-05D292D92FB0} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{63272979-21F0-48EF-9B97-A83DBC05BE39} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{753FE96B-D926-4B6C-BCFB-CC59153D004A} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{7841B68B-B7DD-408E-8B45-D5CA39608185} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{9FA01E11-9015-4140-B10A-5C6AA949B2FC} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{BC0EE7F1-32DE-4EE2-BE10-AE15DB394E84} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-Patch_V1 - k:\gravity\RO\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D2BD08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf755afc3
\Driver\ACPI -> ACPI.sys @ 0xf74a7cb8
\Driver\atapi -> 0x86d2bd08
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll
.
Completion time: 2010-06-24 01:06:50
ComboFix-quarantined-files.txt 2010-06-24 09:06

Pre-Run: 2,571,595,776 bytes free
Post-Run: 6,886,277,120 bytes free

- - End Of File - - 2F7D07D3FAD582CB8C6058C612EDED15
  • 0

#9
ali.B
Posted 25 June 2010 - 03:38 AM

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\system32\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\system32\bits\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\system32\dllcache\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll | c:\windows\$NtUninstallKB842773$\qmgr.dll

Folder::
c:\documents and settings\User\Local Settings\Application Data\dyxopykkt


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#10
fuff
Posted 25 June 2010 - 04:10 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
what does this step do?
  • 0

Advertisements

#11
fuff
Posted 25 June 2010 - 07:01 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
there's the latest ones, it involved the same steps as before, has the http tidserv been deleted? :


ComboFix 10-06-23.02 - User 25/06/2010 16:50:09.3.1 - x86
Microsoft Windows XP Home Edition [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
.
---- Previous Run -------
.
C:\test.txt

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\system32\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\system32\bits\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\system32\dllcache\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-24 02:28 . 2010-06-24 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 22:54 . 2005-09-09 23:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-24 07:24 . 2005-09-09 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-24 02:41 . 2010-06-24 02:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 02:41 . 2010-06-24 11:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-24 02:40 . 2010-06-24 02:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 02:29 . 2007-04-01 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 02:24 . 2007-12-08 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-22 19:45 . 2010-06-22 19:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 19:45 . 2010-06-22 19:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-22 02:48 . 2010-03-13 11:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 01:04 . 2009-12-14 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 05:56 . 2003-03-03 04:38 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 23:39 . 2010-03-13 11:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 23:39 . 2010-03-13 11:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2003-03-03 04:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20 . 2006-06-23 19:33 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2003-02-19 01:35 . 2005-09-09 23:13 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\xtras\mssysmgr.exe" [2004-11-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2002-10-01 372736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PC-CAM 600 STI App Registration"="PD023pin.dll" [2001-11-11 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2004-08-04 136704]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-16 113664]
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-7-16 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-12 23:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msupdate.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\msupdate.exe
backup=c:\windows\pss\msupdate.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15/09/2005 8:28 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15/09/2005 8:28 PM 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [23/06/2010 6:42 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 7:52 AM 1352832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 9:55 PM 24652]
R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [25/11/2007 8:20 PM 53307]
S2 mrtRate;mrtRate; [x]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [26/05/2006 10:34 PM 33792]
S3 PD023BLK;Creative PC-CAM 600 (Still Image);c:\windows\system32\drivers\Pd023blk.sys [31/12/2005 10:05 PM 28537]
S3 PD023VID;Creative PC-CAM 600 (Video);c:\windows\system32\drivers\Pd023vid.sys [31/12/2005 10:06 PM 435360]
S3 Spdat94;Spdat94; [x]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w550obex.sys --> c:\windows\system32\DRIVERS\w550obex.sys [?]
S3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows\system32\DRIVERS\w900bus.sys --> c:\windows\system32\DRIVERS\w900bus.sys [?]
S3 w900mgmt;Sony Ericsson 900i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w900mgmt.sys --> c:\windows\system32\DRIVERS\w900mgmt.sys [?]
S3 w900obex;Sony Ericsson 900i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w900obex.sys --> c:\windows\system32\DRIVERS\w900obex.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:40]

2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2010-06-22 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - User.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5w4s36ev.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.16\NPSceneCaster.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86C739B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf755afc3
\Driver\ACPI -> ACPI.sys @ 0xf74a7cb8
\Driver\atapi -> 0x86c739b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3060)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Linksys\WUSB300N\WUSB300N.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\ALCXMNTR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-06-25 17:47:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 01:47
ComboFix2.txt 2010-06-24 09:06

Pre-Run: 6,706,892,800 bytes free
Post-Run: 6,693,605,376 bytes free

- - End Of File - - AB0EB49AF781802D454637A5E10719F6
  • 0

#12
fuff
Posted 25 June 2010 - 07:03 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
doing a malwarebytes quick scan right now :)
  • 0

#13
fuff
Posted 25 June 2010 - 09:19 PM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
no infections found on malewarbytes
  • 0

#14
ali.B
Posted 26 June 2010 - 01:43 AM

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Please download JavaRa to your desktop and unzip it to it's own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Next

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

  • 0

#15
fuff
Posted 26 June 2010 - 02:55 AM

fuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
okay ill do that now :) what time are u usually on? cause i hate waiting one day to find the answer lol (pst time)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP