patjed

Members
  • Content count

    7
  • Joined

  • Last visited

About patjed

  • Rank
    New Member
  1. The malicious software is still running.
  2. <div>Hi Maniac,</div> <div> </div> <div>Sorry it took a while! To busy with work to reply earlier...</div> <div> </div> <div> </div> <div>Malwarebytes Anti-Malware (-evaluatieversie-) 1.61.0.1400</div> <div>www.malwarebytes.org</div> <div> </div> <div>Databaseversie: v2012.05.11.05</div> <div> </div> <div>Windows XP Service Pack 3 x86 NTFS</div> <div>Internet Explorer 8.0.6001.18702</div> <div>Dittie :: PATRICK [administrator]</div> <div> </div> <div>Realtime bescherming: Uitgeschakeld</div> <div> </div> <div>11-5-2012 19:03:00</div> <div>mbam-log-2012-05-11 (19-03-00).txt</div> <div> </div> <div>Scantype: Snelle scan</div> <div>Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM</div> <div>Uitgeschakelde scanopties: P2P</div> <div>Objecten gescand: 418322</div> <div>Verstreken tijd: 47 minuut/minuten, 3 seconde(n)</div> <div> </div> <div>Geheugenprocessen gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Geheugenmodulen gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Registersleutels gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Registerwaarden gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Registerdata gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Mappen gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>Bestanden gedetecteerd: 0</div> <div>(Geen kwaadaardige objecten gedetecteerd)</div> <div> </div> <div>(einde)</div> <div> </div> <div> </div> <div>BTW : Sometimes my firewall gets loaded before the mallware and than I am able to block it. It does not hook into Explorer.exe when I do.</div> <div id="myEventWatcherDiv" style="display:none;"> </div>
  3. I just recreated the logs : . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by myuser at 15:42:28 on 2012-05-02 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2815.2213 [GMT 2:00] . FW: Privatefirewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\AppleOSSMgr.exe C:\WINDOWS\system32\AppleTimeSrv.exe svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe C:\Program Files\Silk\Shared Files\SgLauncher\sgLauncher.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe C:\WINDOWS\system32\vmnat.exe c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\VMware\VMware Player\vmware-authd.exe C:\WINDOWS\system32\vmnetdhcp.exe c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\VMware\VMware Player\hqtray.exe C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe C:\Program Files\Parallels\Parallels Tools\prl_cc.exe C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools Lite\DTLite.exe C:\Program Files\TechSmith\Snagit 9\Snagit32.exe C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uInternet Settings,ProxyServer = uInternet Settings,ProxyOverride = <local> BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll BHO: dynaTrace AJAX Edition Agent: {54ccf170-0056-48d1-b959-055c5b98dc88} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll TB: dynaTrace AJAX Edition Toolbar: {42ec68ef-4494-4041-9993-a5789bf7750b} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File EB: MySpace.MSFast.SysImpl.Win32.InternetExplorer.MSFastBrowserBand: {aae91b90-296a-471e-9926-2d4505f8ef5b} - mscoree.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [PlayNC Launcher] uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun uRun: [ukotyhtyt] "c:\documents and settings\myuser\application data\axaxfo\udwo.exe" mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent mRun: [<NO NAME>] mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe" mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe StartupFolder: c:\docume~1\myuser\menust~1\progra~1\opstar~1\dropbox.lnk - c:\documents and settings\myuser\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1) IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {725EC34E-943C-4df6-B0B2-FBDE7F242276} - c:\documents and settings\myuser\bureaublad\PartyPoker.fr.lnk IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\myuser\bureaublad\PartyPoker.lnk IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe" IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL IE: {AAE91B90-296A-471e-9926-2D4505F8EF5A} - {AAE91B90-296A-471e-9926-2D4505F8EF5B} - mscoree.dll LSP: c:\program files\vmware\vmware player\vsocklib.dll DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Calendar.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://www.ycenter.nl/qcbin/capicom.dll DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://sslnl.vanoord.com/vdesk/terminal/f5tunsrv.cab#version=7000,2011,104,2309 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://sslnl.vanoord.com/vdesk/terminal/InstallerControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309616397827 DPF: {6B1EF694-7BCC-4B68-A872-B9F033940922} - hxxp://localhost:20790/i3/Shared/cab/APMFiles_V8.CAB DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1309616389124 DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {BE166F56-3D04-4E4A-8782-B898BCE3C426} - hxxp://xc001wec:20790/i3/Shared/cab/APMFiles.CAB DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D8AC8CB7-7EF3-4B76-83BF-0008C9D38A9F} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Gantt_Chart.cab DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_HI_Client.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://precise.webex.com/client/T26L/webex/ieatgpc.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://sslnl.vanoord.com/vdesk/terminal/urxhost.cab#version=7000,2011,124,911 DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} - hxxp://www.ycenter.nl/qcbin/Spider10.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724 TCP: DhcpNameServer = 10.211.55.1 TCP: Interfaces\{0066A990-356F-47EC-9CBC-AC11FDA3F05A} : DhcpNameServer = 10.211.55.1 TCP: Interfaces\{1553E44B-4B3B-4618-A4D4-FD52D0B992DB} : NameServer = 127.0.0.1 TCP: Interfaces\{222E7459-A2A0-4F57-9C42-FF0408F28EC6} : NameServer = 127.0.0.1 TCP: Interfaces\{3450FBC3-D9CA-4DAE-BE45-ADC034DDC591} : NameServer = 127.0.0.1 TCP: Interfaces\{4B2BDFF9-6A65-4009-9423-DEE117FCE36B} : DhcpNameServer = 192.168.123.1 192.168.123.1 TCP: Interfaces\{7BAE8FD0-312F-423E-A301-B82213C49B7A} : NameServer = 127.0.0.1 TCP: Interfaces\{808E07B9-0DC9-4DD3-B73D-859B3253953C} : NameServer = 127.0.0.1 TCP: Interfaces\{E5301618-6258-4417-A389-9FA87D530BBB} : NameServer = 127.0.0.1 TCP: Interfaces\{FD14765F-371F-4BE1-96E8-9284BFCD642F} : NameServer = 127.0.0.1 Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - Notify: AutorunsDisabled - c:\program files\stardock\mycolors\fastload.dll Notify: LMIinit - LMIinit.dll Notify: OdysseyClient - odyEvent.dll AppInit_DLLs: qaphooks.dll SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll Hosts: 0.0.0.0 .psf Hosts: 0.0.0.0 psf . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\myuser\application data\mozilla\firefox\profiles\up5iz0qr.default\ FF - prefs.js: network.proxy.ftp - iproxy.office.intern FF - prefs.js: network.proxy.ftp_port - 8080 FF - prefs.js: network.proxy.gopher - iproxy.office.intern FF - prefs.js: network.proxy.gopher_port - 8080 FF - prefs.js: network.proxy.http - iproxy.office.intern FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.socks - iproxy.office.intern FF - prefs.js: network.proxy.socks_port - 8080 FF - prefs.js: network.proxy.ssl - iproxy.office.intern FF - prefs.js: network.proxy.ssl_port - 8080 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\myuser\local settings\application data\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13113.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll . ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . ============= SERVICES / DRIVERS =============== . R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2008-2-12 254208] R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-6-24 23880] R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [2011-3-25 29640] R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-6-24 24008] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-22 65584] R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [2011-9-7 38600] R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2008-11-8 149448] R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-5-11 136496] R2 AppleTimeSrv;Apple tijdvoorziening;c:\windows\system32\AppleTimeSrv.exe [2009-5-11 99632] R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2009-11-6 11936] R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-12-20 83320] R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-11-15 5760] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-21 47640] R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-5-11 6784] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-12 654408] R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2010-4-8 11107] R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2011-9-7 28488] R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2011-9-7 186696] R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2012-4-5 374120] R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [2011-10-30 15176] R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-10-30 15816] R2 Silk Launcher Service;Silk Launcher Service;c:\program files\silk\shared files\sglauncher\sgLauncher.exe [2012-4-26 2270424] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-3-25 70768] R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-3-25 539248] R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-2-2 218688] R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-10-5 390528] R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2007-10-5 29312] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-12 22344] R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-6-24 18376] R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-6-24 16200] R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [2011-3-25 45896] R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-6-24 25928] R3 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2012-5-1 131896] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856] S2 StackTrace;StackTrace;c:\program files\stacktrace\jetty\service\win32\Wrapper.exe [2011-6-17 110592] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 253088] S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-6-24 10496] S3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-6-24 29696] S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2008-2-13 116008] S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-6-24 16512] S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-6-24 23552] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064] S3 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536] S3 ServiceEmulation;HP ServiceEmulation;c:\program files\hp\loadrunner\apache-tomcat-5.5.17\bin\tomcat5.exe [2009-1-14 102400] S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-15 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 LMIRfsClientNP;LMIRfsClientNP; [x] S4 SiteScope;SiteScope;c:\progra~1\sitescope\tools\sitescopeservice.exe [2009-7-23 48640] . =============== Created Last 30 ================ . 2012-05-02 10:14:05 96784 ----a-w- c:\windows\system32\WPRO_41_1879woem.tmp 2012-05-02 10:14:05 109072 ----a-w- c:\windows\system32\WPRO_41_1879woem_nm.tmp 2012-05-01 11:27:38 -------- d-----w- c:\documents and settings\myuser\local settings\application data\Privatefirewall 2012-05-01 11:24:41 131896 ----a-w- c:\windows\system32\drivers\pwipf6.sys 2012-05-01 11:24:35 -------- d-----w- c:\documents and settings\all users\application data\Privacyware 2012-05-01 11:24:34 -------- d-----w- c:\program files\Privacyware 2012-04-29 15:37:56 58880 ----a-w- c:\windows\system32\WSPDll.dll 2012-04-29 15:37:32 -------- d-----w- C:\fn 2012-04-27 12:25:44 -------- d-----w- c:\program files\NeoLoad 4.0 2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Ywak 2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Ekwosy 2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Axaxfo 2012-04-26 13:09:22 247992 ----a-w- c:\windows\system32\qaphooks.dll 2012-04-26 13:06:49 -------- d-----w- c:\documents and settings\myuser\application data\Silk 2012-04-26 12:22:01 -------- d-----w- c:\documents and settings\myuser\local settings\application data\Silk 2012-04-26 12:21:28 -------- d-----w- c:\documents and settings\all users\application data\Silk 2012-04-26 12:19:41 -------- d-s---w- c:\program files\Silk 2012-04-26 12:14:43 -------- d-----w- c:\program files\MSXML 4.0 2012-04-26 12:11:30 -------- d--h--w- c:\program files\Zero G Registry 2012-04-04 10:13:40 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-04-02 14:48:52 -------- d-----w- C:\popclient . ==================== Find3M ==================== . 2012-04-13 18:49:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-04 13:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys . ============= FINISH: 15:44:38.17 ===============
  4. <p>Hi Maniac,</p> <p> </p> <p>In the end the dds.scr did work on my virtual. Some of the behaviour i see occuring on my machine :</p> <p> </p> <p>- resolving 4 specific hosts</p> <p>- doing a version check /ver/ajax.php</p> <p>- posting encrypted data to the 4 specific hosts to /g.php</p> <p> </p> <p>I am a bit hesistant to post the attach.log file because it shows a lot about my systems configuration, please let me know if you really need it.</p> <p> </p> <p> </p> <div>.</div> <div>DDS (Ver_2011-08-26.01) - NTFSx86 </div> <div>Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18</div> <div>Run by Dittie at 16:30:41 on 2012-05-01</div> <div>Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2815.2217 [GMT 2:00]</div> <div>.</div> <div>FW: Privatefirewall *Enabled* </div> <div>.</div> <div>============== Running Processes ===============</div> <div>.</div> <div>C:\WINDOWS\system32\svchost -k DcomLaunch</div> <div>svchost.exe</div> <div>C:\WINDOWS\System32\svchost.exe -k netsvcs</div> <div>svchost.exe</div> <div>svchost.exe</div> <div>C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe</div> <div>C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe</div> <div>C:\WINDOWS\system32\spoolsv.exe</div> <div>svchost.exe</div> <div>C:\WINDOWS\system32\AppleOSSMgr.exe</div> <div>C:\WINDOWS\system32\AppleTimeSrv.exe</div> <div>svchost.exe</div> <div>C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe</div> <div>C:\Program Files\Java\jre6\bin\jqs.exe</div> <div>C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe</div> <div>C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe</div> <div>C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe</div> <div>C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe</div> <div>C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe</div> <div>C:\WINDOWS\system32\PnkBstrA.exe</div> <div>C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe</div> <div>C:\Program Files\Silk\Shared Files\SgLauncher\sgLauncher.exe</div> <div>C:\WINDOWS\system32\svchost.exe -k imgsvc</div> <div>C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe</div> <div>C:\WINDOWS\system32\vmnat.exe</div> <div>c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE</div> <div>C:\Program Files\VMware\VMware Player\vmware-authd.exe</div> <div>C:\WINDOWS\system32\vmnetdhcp.exe</div> <div>c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe</div> <div>C:\WINDOWS\system32\rundll32.exe</div> <div>C:\Program Files\VMware\VMware Player\hqtray.exe</div> <div>C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe</div> <div>C:\Program Files\Parallels\Parallels Tools\prl_cc.exe</div> <div>C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe</div> <div>C:\WINDOWS\system32\ctfmon.exe</div> <div>C:\Program Files\DAEMON Tools Lite\DTLite.exe</div> <div>C:\Program Files\TechSmith\Snagit 9\Snagit32.exe</div> <div>C:\WINDOWS\system32\wscntfy.exe</div> <div>C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe</div> <div>C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe</div> <div>C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe</div> <div>C:\WINDOWS\explorer.exe</div> <div>C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe</div> <div>.</div> <div>============== Pseudo HJT Report ===============</div> <div>.</div> <div>uStart Page = about:blank</div> <div>uInternet Settings,ProxyServer = </div> <div>uInternet Settings,ProxyOverride = <local></div> <div>BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll</div> <div>BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll</div> <div>BHO: dynaTrace AJAX Edition Agent: {54ccf170-0056-48d1-b959-055c5b98dc88} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll</div> <div>BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File</div> <div>BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll</div> <div>BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div> <div>BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll</div> <div>BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll</div> <div>TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll</div> <div>TB: dynaTrace AJAX Edition Toolbar: {42ec68ef-4494-4041-9993-a5789bf7750b} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll</div> <div>TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File</div> <div>EB: MySpace.MSFast.SysImpl.Win32.InternetExplorer.MSFastBrowserBand: {aae91b90-296a-471e-9926-2d4505f8ef5b} - mscoree.dll</div> <div>uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe</div> <div>uRun: [PlayNC Launcher] </div> <div>uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun</div> <div>uRun: [ukotyhtyt] "c:\documents and settings\dittie\application data\axaxfo\udwo.exe"</div> <div>mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent</div> <div>mRun: [<NO NAME>] </div> <div>mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit</div> <div>mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup</div> <div>mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet</div> <div>mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"</div> <div>mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe</div> <div>mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start</div> <div>mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe"</div> <div>mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime</div> <div>mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun</div> <div>mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray</div> <div>mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe</div> <div>StartupFolder: c:\docume~1\dittie\menust~1\progra~1\opstar~1\dropbox.lnk - c:\documents and settings\dittie\application data\dropbox\bin\Dropbox.exe</div> <div>StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe</div> <div>StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico</div> <div>mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)</div> <div>IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe</div> <div>IE: {725EC34E-943C-4df6-B0B2-FBDE7F242276} - c:\documents and settings\dittie\bureaublad\PartyPoker.fr.lnk</div> <div>IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\dittie\bureaublad\PartyPoker.lnk</div> <div>IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"</div> <div>IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe</div> <div>IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe</div> <div>IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll</div> <div>IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll</div> <div>IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div> <div>IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL</div> <div>IE: {AAE91B90-296A-471e-9926-2D4505F8EF5A} - {AAE91B90-296A-471e-9926-2D4505F8EF5B} - mscoree.dll</div> <div>LSP: c:\program files\vmware\vmware player\vsocklib.dll</div> <div>DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Calendar.cab</div> <div>DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab</div> <div>DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://www.ycenter.nl/qcbin/capicom.dll</div> <div>DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab</div> <div>DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://sslnl.vanoord.com/vdesk/terminal/f5tunsrv.cab#version=7000,2011,104,2309</div> <div>DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://sslnl.vanoord.com/vdesk/terminal/InstallerControl.cab</div> <div>DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309616397827</div> <div>DPF: {6B1EF694-7BCC-4B68-A872-B9F033940922} - hxxp://localhost:20790/i3/Shared/cab/APMFiles_V8.CAB</div> <div>DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1309616389124</div> <div>DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab</div> <div>DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div> <div>DPF: {BE166F56-3D04-4E4A-8782-B898BCE3C426} - hxxp://xc001wec:20790/i3/Shared/cab/APMFiles.CAB</div> <div>DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF}</div> <div>DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div> <div>DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div> <div>DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab</div> <div>DPF: {D8AC8CB7-7EF3-4B76-83BF-0008C9D38A9F} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Gantt_Chart.cab</div> <div>DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_HI_Client.cab</div> <div>DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://precise.webex.com/client/T26L/webex/ieatgpc.cab</div> <div>DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://sslnl.vanoord.com/vdesk/terminal/urxhost.cab#version=7000,2011,124,911</div> <div>DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab</div> <div>DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab</div> <div>DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} - hxxp://www.ycenter.nl/qcbin/Spider10.cab</div> <div>DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724</div> <div>TCP: DhcpNameServer = 10.211.55.1</div> <div>TCP: Interfaces\{0066A990-356F-47EC-9CBC-AC11FDA3F05A} : DhcpNameServer = 10.211.55.1</div> <div>TCP: Interfaces\{1553E44B-4B3B-4618-A4D4-FD52D0B992DB} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{222E7459-A2A0-4F57-9C42-FF0408F28EC6} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{3450FBC3-D9CA-4DAE-BE45-ADC034DDC591} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{7BAE8FD0-312F-423E-A301-B82213C49B7A} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{808E07B9-0DC9-4DD3-B73D-859B3253953C} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{E5301618-6258-4417-A389-9FA87D530BBB} : NameServer = 127.0.0.1</div> <div>TCP: Interfaces\{FD14765F-371F-4BE1-96E8-9284BFCD642F} : NameServer = 127.0.0.1</div> <div>Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - </div> <div>Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div> <div>Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL</div> <div>Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - </div> <div>Notify: AutorunsDisabled - c:\program files\stardock\mycolors\fastload.dll</div> <div>Notify: LMIinit - LMIinit.dll</div> <div>Notify: OdysseyClient - odyEvent.dll</div> <div>AppInit_DLLs: qaphooks.dll</div> <div>SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll</div> <div>Hosts: 0.0.0.0 .psf</div> <div>Hosts: 0.0.0.0 psf</div> <div>.</div> <div>================= FIREFOX ===================</div> <div>.</div> <div>FF - ProfilePath - c:\documents and settings\dittie\application data\mozilla\firefox\profiles\up5iz0qr.default\</div> <div>FF - prefs.js: network.proxy.ftp - iproxy.office.intern</div> <div>FF - prefs.js: network.proxy.ftp_port - 8080</div> <div>FF - prefs.js: network.proxy.gopher - iproxy.office.intern</div> <div>FF - prefs.js: network.proxy.gopher_port - 8080</div> <div>FF - prefs.js: network.proxy.http - iproxy.office.intern</div> <div>FF - prefs.js: network.proxy.http_port - 8080</div> <div>FF - prefs.js: network.proxy.socks - iproxy.office.intern</div> <div>FF - prefs.js: network.proxy.socks_port - 8080</div> <div>FF - prefs.js: network.proxy.ssl - iproxy.office.intern</div> <div>FF - prefs.js: network.proxy.ssl_port - 8080</div> <div>FF - prefs.js: network.proxy.type - 0</div> <div>FF - plugin: c:\documents and settings\dittie\local settings\application data\unity\webplayer\loader\npUnity3D32.dll</div> <div>FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll</div> <div>FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll</div> <div>FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll</div> <div>FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll</div> <div>FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13113.dll</div> <div>FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll</div> <div>FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll</div> <div>.</div> <div>---- FIREFOX POLICIES ----</div> <div>FF - user.js: network.cookie.cookieBehavior - 0</div> <div>FF - user.js: privacy.clearOnShutdown.cookies - false</div> <div>FF - user.js: security.warn_viewing_mixed - false</div> <div>FF - user.js: security.warn_viewing_mixed.show_once - false</div> <div>FF - user.js: security.warn_submit_insecure - false</div> <div>FF - user.js: security.warn_submit_insecure.show_once - false</div> <div>.</div> <div>============= SERVICES / DRIVERS ===============</div> <div>.</div> <div>R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2008-2-12 254208]</div> <div>R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-6-24 23880]</div> <div>R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [2011-3-25 29640]</div> <div>R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-6-24 24008]</div> <div>R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-22 65584]</div> <div>R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [2011-9-7 38600]</div> <div>R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2008-11-8 149448]</div> <div>R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-5-11 136496]</div> <div>R2 AppleTimeSrv;Apple tijdvoorziening;c:\windows\system32\AppleTimeSrv.exe [2009-5-11 99632]</div> <div>R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2009-11-6 11936]</div> <div>R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-12-20 83320]</div> <div>R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-11-15 5760]</div> <div>R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]</div> <div>R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]</div> <div>R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-21 47640]</div> <div>R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-5-11 6784]</div> <div>R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-12 654408]</div> <div>R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2010-4-8 11107]</div> <div>R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2011-9-7 28488]</div> <div>R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2011-9-7 186696]</div> <div>R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2012-4-5 374120]</div> <div>R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [2011-10-30 15176]</div> <div>R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-10-30 15816]</div> <div>R2 Silk Launcher Service;Silk Launcher Service;c:\program files\silk\shared files\sglauncher\sgLauncher.exe [2012-4-26 2270424]</div> <div>R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-3-25 70768]</div> <div>R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-3-25 539248]</div> <div>R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-2-2 218688]</div> <div>R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-10-5 390528]</div> <div>R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2007-10-5 29312]</div> <div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-12 22344]</div> <div>R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-6-24 18376]</div> <div>R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-6-24 16200]</div> <div>R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [2011-3-25 45896]</div> <div>R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-6-24 25928]</div> <div>R3 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2012-5-1 131896]</div> <div>S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]</div> <div>S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]</div> <div>S2 StackTrace;StackTrace;c:\program files\stacktrace\jetty\service\win32\Wrapper.exe [2011-6-17 110592]</div> <div>S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 253088]</div> <div>S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-6-24 10496]</div> <div>S3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-6-24 29696]</div> <div>S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2008-2-13 116008]</div> <div>S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-6-24 16512]</div> <div>S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-6-24 23552]</div> <div>S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]</div> <div>S3 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]</div> <div>S3 ServiceEmulation;HP ServiceEmulation;c:\program files\hp\loadrunner\apache-tomcat-5.5.17\bin\tomcat5.exe [2009-1-14 102400]</div> <div>S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]</div> <div>S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]</div> <div>S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-15 14336]</div> <div>S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]</div> <div>S4 LMIRfsClientNP;LMIRfsClientNP; [x]</div> <div>S4 SiteScope;SiteScope;c:\progra~1\sitescope\tools\sitescopeservice.exe [2009-7-23 48640]</div> <div>.</div> <div>=============== Created Last 30 ================</div> <div>.</div> <div>2012-05-01 13:00:13<span class="Apple-tab-span" style="white-space:pre"> </span>96784<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WPRO_41_1879woem.tmp</div> <div>2012-05-01 13:00:13<span class="Apple-tab-span" style="white-space:pre"> </span>109072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WPRO_41_1879woem_nm.tmp</div> <div>2012-05-01 11:27:38<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\local settings\application data\Privatefirewall</div> <div>2012-05-01 11:24:41<span class="Apple-tab-span" style="white-space:pre"> </span>131896<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\pwipf6.sys</div> <div>2012-05-01 11:24:35<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\all users\application data\Privacyware</div> <div>2012-05-01 11:24:34<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Privacyware</div> <div>2012-04-29 15:37:56<span class="Apple-tab-span" style="white-space:pre"> </span>58880<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WSPDll.dll</div> <div>2012-04-29 15:37:32<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\fn</div> <div>2012-04-27 12:25:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\NeoLoad 4.0</div> <div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Ywak</div> <div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Ekwosy</div> <div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Axaxfo</div> <div>2012-04-26 13:09:22<span class="Apple-tab-span" style="white-space:pre"> </span>247992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\qaphooks.dll</div> <div>2012-04-26 13:06:49<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Silk</div> <div>2012-04-26 12:22:01<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\local settings\application data\Silk</div> <div>2012-04-26 12:21:28<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\all users\application data\Silk</div> <div>2012-04-26 12:19:41<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-s---w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Silk</div> <div>2012-04-26 12:14:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div> <div>2012-04-26 12:11:30<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d--h--w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Zero G Registry</div> <div>2012-04-04 10:13:40<span class="Apple-tab-span" style="white-space:pre"> </span>418464<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div> <div>2012-04-02 14:48:52<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\popclient</div> <div>.</div> <div>==================== Find3M ====================</div> <div>.</div> <div>2012-04-13 18:49:05<span class="Apple-tab-span" style="white-space:pre"> </span>70304<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div> <div>2012-04-04 13:56:40<span class="Apple-tab-span" style="white-space:pre"> </span>22344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div> <div>.</div> <div>============= FINISH: 16:33:40.37 ===============</div> <div> </div> <div> </div> <div> </div> <p> </p> <p> </p> <p> </p> <div id="myEventWatcherDiv" style="display:none;"> </div>
  5. Unfortunately the dds.scr does not work. It will start and show progress but never finishes. Any idea why ?
  6. Thanks for your reply! Do you want me to run the instructions in pure windows mode(bootcamped) or as a virtual machine under osx parallels?
  7. Hi All, Yesterday I had this strange call on skype from someone with "..............." as a name. I decided to answer but didnt hear anything. I hang up after about 10 seconds. I kept playing my game and shutdown my pc after. The next boot I noticed my login screen for windows was bypassed. Normally I need to select my profile to login but that wasn't necessary anymore. I found that suspicious enough to download process explorer and found that a process "Explorer.exe" was making registry changes and in netstat I found communication to a domain named ********.your-server.de Everything was suspicious to me but anti malware tools including malware bytes and online scans of the files had no results. Today however I noticed something very weird and found the file responsible. Please see attached screenshot for what I found the the message I got. So it seems like an infection through skype (unconfirmed but it was a weird call) with some homecalling malware. Can anybody tell me how I proceed? P.S. I run this XP image as bootcamp partition on my mac but ALSO as virtual machine in OS-X. Physically the same image.