Hello, I have a big problem... I have 3 PCs at home, and every one of them is infected... I can't delete these trojans which infected me, so I'm asking you guys to help...
I have licenced McAfee AV and Kaspersky 2010 AV, but i was unable to delete these infected files.
Here is log of mbam scan:
Malwarebytes' Anti-Malware 1.40
Database version: 2642
Windows 5.1.2600 Service Pack 2
8/17/2009 11:42:52 PM
mbam-log-2009-08-17 (23-42-47).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 310518
Time elapsed: 2 hour(s), 20 minute(s), 29 second(s)
Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 35
Memory Processes Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> No action taken.
D:\Profiles\user\msword98.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msword98.exe (Trojan.Agent) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> No action taken.
D:\Profiles\LocalService\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
Files Infected:
D:\Profiles\user\msword98.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) -> No action taken.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> No action taken.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN10.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN15.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN279.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN27A.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN27B.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BN27C.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BNA.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BNC.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BNE.tmp (Trojan.Agent) -> No action taken.
D:\Profiles\user\Local Settings\Temp\BNF.tmp (Trojan.Agent) -> No action taken.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> No action taken.
D:\Profiles\LocalService\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken.
D:\Profiles\LocalService\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> No action taken.
D:\Profiles\user\Application Data\wiaserva.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\wpv321250109698.exe (Trojan.Agent) -> No action taken.
D:\Profiles\LocalService\Cookies\izoxekokyp.exe (Fake.Dropped.Malware) -> No action taken.
D:\Profiles\LocalService\Cookies\xyloqa.exe (Fake.Dropped.Malware) -> No action taken.
D:\Profiles\user\delself.bat (Malware.Trace) -> No action taken.
D:\Profiles\user\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.
D:\Profiles\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> No action taken.
D:\Profiles\user\Start Menu\Programs\Startup\ikowin32.exe (Trojan.Downloader) -> No action taken.
Full Version: infected
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
hi
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
----------------------------------------------------------- - Double click on combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" for further review.
Hy, I've done scaning PC with this tool and here is log file...
ComboFix 09-08-21.02 - user 08/22/2009 15:40.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1777 [GMT 2:00]
Running from: d:\profiles\user\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2000478354-1202660629-854245398-500
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\4dac654.msp
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
d:\profiles\\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
d:\profiles\LocalService\Local Settings\Temporary Internet Files\mijedebu.sys
d:\profiles\LocalService\Local Settings\Temporary Internet Files\wihobihifu.dat
d:\profiles\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6774415C-6FD5-407F-9672-8E9F3F175B73}\RP159\A0039478.sys
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6774415C-6FD5-407F-9672-8E9F3F175B73}\RP161\A0039711.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-22 13:50 . 2009-08-22 13:50 113 ----a-w- c:\windows\system32\api_hook_list.dat
2009-08-22 13:23 . 2009-08-22 13:23 29184 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-22 13:23 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- d:\profiles\user\Application Data\Malwarebytes
2009-08-17 18:04 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- d:\profiles\All Users\Application Data\Malwarebytes
2009-08-17 18:04 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 11:27 . 2009-08-17 11:27 18431 ----a-w- c:\windows\system32\robuwehem.sys
2009-08-17 11:27 . 2009-08-17 11:27 17803 ----a-w- c:\program files\Common Files\yqeqyhaxi.dat
2009-08-17 11:27 . 2009-08-17 11:27 16304 ----a-w- d:\profiles\LocalService\Local Settings\Application Data\imiveliqat.vbs
2009-08-17 11:27 . 2009-08-17 11:27 15968 ----a-w- d:\profiles\LocalService\Application Data\epigu.com
2009-08-17 11:27 . 2009-08-17 11:27 10718 ----a-w- c:\windows\system32\gapy.com
2009-08-17 11:27 . 2009-08-17 11:27 10093 ----a-w- d:\profiles\All Users\Application Data\dinureloj.com
2009-08-02 12:31 . 2009-08-02 12:31 -------- d-----w- c:\program files\WinSCP
2009-08-01 19:09 . 2009-08-01 19:09 -------- d-----w- c:\program files\7-Zip
2009-07-30 11:37 . 2009-07-30 11:57 -------- d-----w- d:\profiles\user\Workspace_dev_1.2
2009-07-30 11:37 . 2009-07-30 11:57 -------- d-----w- d:\profiles\\user\Workspace_dev_1.2
2009-07-30 08:17 . 2009-08-06 09:07 -------- d-----w- d:\profiles\user\user_view
2009-07-30 08:17 . 2009-08-06 09:07 -------- d-----w- d:\profiles\\user\user_view
2009-07-28 08:45 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Application Data\WebApps
2009-07-28 08:44 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Local Settings\Application Data\Prism
2009-07-28 08:44 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Application Data\Prism
2009-07-26 14:50 . 2009-07-26 14:50 -------- d-----w- c:\program files\SpeedFan
2009-07-24 15:20 . 2008-05-02 08:41 3493888 ---ha-w- d:\profiles\user\Application Data\U3\temp\Launchpad Removal.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 00:06 . 2009-05-19 20:41 -------- d-----w- d:\profiles\user\Application Data\MySQL
2009-08-17 11:27 . 2009-08-17 11:27 10062 ----a-w- d:\profiles\LocalService\Application Data\pequsu.dat
2009-08-17 11:03 . 2009-05-17 23:25 -------- d-----w- d:\profiles\user\Application Data\FileZilla
2009-08-12 11:31 . 2009-05-23 16:46 -------- d-----w- d:\profiles\user\Application Data\vlc
2009-08-06 15:34 . 2008-10-08 08:48 402815 ----a-w- c:\windows\system32\nvModes.dat
2009-07-27 14:24 . 2006-09-12 13:02 -------- d-----w- c:\program files\Java
2009-07-24 15:24 . 2009-06-19 13:49 -------- d-----w- d:\profiles\user\Application Data\U3
2009-07-09 10:08 . 2009-05-11 08:48 -------- d-----w- d:\profiles\All Users\Application Data\Microsoft Help
2009-07-01 08:40 . 2009-02-16 11:32 6612797 ----a-w- d:\profiles\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install409\FramePkg.exe
2009-06-30 12:37 . 2009-06-30 12:37 -------- d-----w- c:\program files\eviware
2009-06-06 18:46 . 2009-06-06 18:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-05 03:24 . 2009-02-16 10:58 247104 ----a-w- c:\windows\system32\KevlarSigs.dll
2006-09-12 13:51 . 2006-09-12 13:51 0 -c--a-w- c:\program files\Common Files\buffer.log
2006-09-12 13:51 . 2006-09-12 13:51 0 -c--a-w- c:\program files\Common Files\access.log
2008-09-29 07:07 . 2009-02-16 11:31 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-13 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-14 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-14 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TLogonPath"="c:\program files\Timbuktu Pro\Tb2Logon.exe" [2007-07-24 618496]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2009-03-10 972096]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-09 124240]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 148888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-05-18 136512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-14 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-12-14 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
d:\profiles\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-12-7 2929992]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-10-9 1459392]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-14 389120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2007-07-24 14:11 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [10/8/2008 10:48 AM 33664]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [3/10/2009 5:23 PM 1471808]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [11/20/2008 5:11 PM 231424]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/9/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/16/2009 1:31 PM 70216]
R3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [10/8/2008 7:40 PM 93568]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [4/29/2008 5:46 PM 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2/16/2009 12:58 PM 110384]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2/16/2009 12:58 PM 38200]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2/16/2009 12:58 PM 35584]
R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [3/12/2009 2:16 PM 34408]
S1 c5e090d1;c5e090d1;c:\windows\system32\drivers\c5e090d1.sys --> c:\windows\system32\drivers\c5e090d1.sys [?]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [4/29/2008 5:46 PM 44680]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/16/2009 1:31 PM 65224]
S3 Tomcat5;Apache Tomcat;d:\server\Apache\Tomcat 5.5\bin\tomcat5.exe [8/29/2008 5:12 AM 57344]
S3 Tomcat6;Apache Tomcat 6;d:\server\Apache\Tomcat 6.0\bin\tomcat6.exe [5/14/2009 1:15 AM 57344]
UnknownUnknown Marimba;Marimba; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065341054-2396743971-680408661-44522Core.job
- d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-13 18:02]
2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065341054-2396743971-680408661-44522UA.job
- d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-13 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\profiles\user\Application Data\Mozilla\Firefox\Profiles\tmcdmif8.default\
FF - component: c:\program files\McAfee\SiteAdvisor Enterprise\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: d:\profiles\user\Application Data\Mozilla\Firefox\Profiles\tmcdmif8.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: d:\profiles\user\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\videolan\VLC\npvlc.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 15:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4548)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Marimba\Castanet Tuner\Tuner.exe
c:\program files\Marimba\Castanet Tuner\lib\jre\bin\java.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Timbuktu Pro\TimbuktuRemoteConsole.exe
c:\windows\system32\searchindexer.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Timbuktu Pro\tb2pro.exe
d:\profiles\user\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Timbuktu Pro\TNotify.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\.marimba\Marimba\ch.3\data\sum.exe
.
**************************************************************************
.
Completion time: 2009-08-22 15:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 13:55
Pre-Run: 14,842,777,600 bytes free
Post-Run: 15,464,906,752 bytes free
281
ComboFix 09-08-21.02 - user 08/22/2009 15:40.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1777 [GMT 2:00]
Running from: d:\profiles\user\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2000478354-1202660629-854245398-500
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\4dac654.msp
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
d:\profiles\\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
d:\profiles\LocalService\Local Settings\Temporary Internet Files\mijedebu.sys
d:\profiles\LocalService\Local Settings\Temporary Internet Files\wihobihifu.dat
d:\profiles\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6774415C-6FD5-407F-9672-8E9F3F175B73}\RP159\A0039478.sys
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6774415C-6FD5-407F-9672-8E9F3F175B73}\RP161\A0039711.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-22 13:50 . 2009-08-22 13:50 113 ----a-w- c:\windows\system32\api_hook_list.dat
2009-08-22 13:23 . 2009-08-22 13:23 29184 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-22 13:23 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- d:\profiles\user\Application Data\Malwarebytes
2009-08-17 18:04 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- d:\profiles\All Users\Application Data\Malwarebytes
2009-08-17 18:04 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 18:04 . 2009-08-17 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 11:27 . 2009-08-17 11:27 18431 ----a-w- c:\windows\system32\robuwehem.sys
2009-08-17 11:27 . 2009-08-17 11:27 17803 ----a-w- c:\program files\Common Files\yqeqyhaxi.dat
2009-08-17 11:27 . 2009-08-17 11:27 16304 ----a-w- d:\profiles\LocalService\Local Settings\Application Data\imiveliqat.vbs
2009-08-17 11:27 . 2009-08-17 11:27 15968 ----a-w- d:\profiles\LocalService\Application Data\epigu.com
2009-08-17 11:27 . 2009-08-17 11:27 10718 ----a-w- c:\windows\system32\gapy.com
2009-08-17 11:27 . 2009-08-17 11:27 10093 ----a-w- d:\profiles\All Users\Application Data\dinureloj.com
2009-08-02 12:31 . 2009-08-02 12:31 -------- d-----w- c:\program files\WinSCP
2009-08-01 19:09 . 2009-08-01 19:09 -------- d-----w- c:\program files\7-Zip
2009-07-30 11:37 . 2009-07-30 11:57 -------- d-----w- d:\profiles\user\Workspace_dev_1.2
2009-07-30 11:37 . 2009-07-30 11:57 -------- d-----w- d:\profiles\\user\Workspace_dev_1.2
2009-07-30 08:17 . 2009-08-06 09:07 -------- d-----w- d:\profiles\user\user_view
2009-07-30 08:17 . 2009-08-06 09:07 -------- d-----w- d:\profiles\\user\user_view
2009-07-28 08:45 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Application Data\WebApps
2009-07-28 08:44 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Local Settings\Application Data\Prism
2009-07-28 08:44 . 2009-07-28 08:47 -------- d-----w- d:\profiles\user\Application Data\Prism
2009-07-26 14:50 . 2009-07-26 14:50 -------- d-----w- c:\program files\SpeedFan
2009-07-24 15:20 . 2008-05-02 08:41 3493888 ---ha-w- d:\profiles\user\Application Data\U3\temp\Launchpad Removal.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 00:06 . 2009-05-19 20:41 -------- d-----w- d:\profiles\user\Application Data\MySQL
2009-08-17 11:27 . 2009-08-17 11:27 10062 ----a-w- d:\profiles\LocalService\Application Data\pequsu.dat
2009-08-17 11:03 . 2009-05-17 23:25 -------- d-----w- d:\profiles\user\Application Data\FileZilla
2009-08-12 11:31 . 2009-05-23 16:46 -------- d-----w- d:\profiles\user\Application Data\vlc
2009-08-06 15:34 . 2008-10-08 08:48 402815 ----a-w- c:\windows\system32\nvModes.dat
2009-07-27 14:24 . 2006-09-12 13:02 -------- d-----w- c:\program files\Java
2009-07-24 15:24 . 2009-06-19 13:49 -------- d-----w- d:\profiles\user\Application Data\U3
2009-07-09 10:08 . 2009-05-11 08:48 -------- d-----w- d:\profiles\All Users\Application Data\Microsoft Help
2009-07-01 08:40 . 2009-02-16 11:32 6612797 ----a-w- d:\profiles\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install409\FramePkg.exe
2009-06-30 12:37 . 2009-06-30 12:37 -------- d-----w- c:\program files\eviware
2009-06-06 18:46 . 2009-06-06 18:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-05 03:24 . 2009-02-16 10:58 247104 ----a-w- c:\windows\system32\KevlarSigs.dll
2006-09-12 13:51 . 2006-09-12 13:51 0 -c--a-w- c:\program files\Common Files\buffer.log
2006-09-12 13:51 . 2006-09-12 13:51 0 -c--a-w- c:\program files\Common Files\access.log
2008-09-29 07:07 . 2009-02-16 11:31 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-13 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-14 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-14 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TLogonPath"="c:\program files\Timbuktu Pro\Tb2Logon.exe" [2007-07-24 618496]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2009-03-10 972096]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-09 124240]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 148888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-05-18 136512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-14 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-12-14 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
d:\profiles\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-12-7 2929992]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-10-9 1459392]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-14 389120]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2007-07-24 14:11 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [10/8/2008 10:48 AM 33664]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [3/10/2009 5:23 PM 1471808]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [11/20/2008 5:11 PM 231424]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/9/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/16/2009 1:31 PM 70216]
R3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [10/8/2008 7:40 PM 93568]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [4/29/2008 5:46 PM 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2/16/2009 12:58 PM 110384]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2/16/2009 12:58 PM 38200]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2/16/2009 12:58 PM 35584]
R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [3/12/2009 2:16 PM 34408]
S1 c5e090d1;c5e090d1;c:\windows\system32\drivers\c5e090d1.sys --> c:\windows\system32\drivers\c5e090d1.sys [?]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [4/29/2008 5:46 PM 44680]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/16/2009 1:31 PM 65224]
S3 Tomcat5;Apache Tomcat;d:\server\Apache\Tomcat 5.5\bin\tomcat5.exe [8/29/2008 5:12 AM 57344]
S3 Tomcat6;Apache Tomcat 6;d:\server\Apache\Tomcat 6.0\bin\tomcat6.exe [5/14/2009 1:15 AM 57344]
UnknownUnknown Marimba;Marimba; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065341054-2396743971-680408661-44522Core.job
- d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-13 18:02]
2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065341054-2396743971-680408661-44522UA.job
- d:\profiles\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-13 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\profiles\user\Application Data\Mozilla\Firefox\Profiles\tmcdmif8.default\
FF - component: c:\program files\McAfee\SiteAdvisor Enterprise\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: d:\profiles\user\Application Data\Mozilla\Firefox\Profiles\tmcdmif8.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: d:\profiles\user\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\videolan\VLC\npvlc.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 15:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4548)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Marimba\Castanet Tuner\Tuner.exe
c:\program files\Marimba\Castanet Tuner\lib\jre\bin\java.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\stacsv.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Timbuktu Pro\TimbuktuRemoteConsole.exe
c:\windows\system32\searchindexer.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Timbuktu Pro\tb2pro.exe
d:\profiles\user\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Timbuktu Pro\TNotify.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\.marimba\Marimba\ch.3\data\sum.exe
.
**************************************************************************
.
Completion time: 2009-08-22 15:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 13:55
Pre-Run: 14,842,777,600 bytes free
Post-Run: 15,464,906,752 bytes free
281
hi
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Download TFC to your desktop
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
File::
c:\windows\system32\robuwehem.sys
c:\program files\Common Files\yqeqyhaxi.dat
d:\profiles\LocalService\Local Settings\Application Data\imiveliqat.vbs
d:\profiles\LocalService\Application Data\epigu.com
c:\windows\system32\gapy.com
d:\profiles\All Users\Application Data\dinureloj.com
d:\profiles\LocalService\Application Data\pequsu.dat
c:\windows\system32\drivers\c5e090d1.sys
Driver::
c5e090d1
KillAll::
c:\windows\system32\robuwehem.sys
c:\program files\Common Files\yqeqyhaxi.dat
d:\profiles\LocalService\Local Settings\Application Data\imiveliqat.vbs
d:\profiles\LocalService\Application Data\epigu.com
c:\windows\system32\gapy.com
d:\profiles\All Users\Application Data\dinureloj.com
d:\profiles\LocalService\Application Data\pequsu.dat
c:\windows\system32\drivers\c5e090d1.sys
Driver::
c5e090d1
KillAll::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Download TFC to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases - Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.