FirefoxForNow

Members
  • Content count

    20
  • Joined

  • Last visited

About FirefoxForNow

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hello- sorry I've been a couple of days without replying. Finally had some free time to deal with it- the GooredFix seems to have worked- the firefox redirect problem is gone. Excellent! Log is below. I imagine that it already took care of everything but I thought I'd check if there is anything further that should be done... Thanks again for all your help- you have been very cooperative and effective. If I ever need any future help, I'll be sure to come here. Gracias, and may you continue to be victorious in all your future malware battles. GooredFix v1.92 by jpshortstuff Log created at 20:11 on 11/03/2009 running Option #2 (Marcus) Firefox version 3.0.7 (en-US) =====Goored Deletions===== C:\Program Files\Mozilla Firefox\extensions\{DC850E77-604F-498A-BF47-A171D66E9AA1} ->Backing up folder... Done. ->Emptying folder... Done. ->Deleting folder... Done. =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
  2. Yes, I am behind a cable router.
  3. I guess my main question at this point then is... how do I go about dealing with the re-route issue with Firefox web searches? should I just try reinstalling firefox? might deleting the old system restore points help with this firefox redirect issue? Thanks again
  4. GMER found some stuff. The System volume info system restore thing sounds familiar... I think that McAfee reported a system volume info infection around a month ago. Possible infected restore points? Thanks for the prompt responses. GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-03-04 22:39:34 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT sptd.sys ZwCreateKey [0xB9ED9AC8] SSDT sptd.sys ZwEnumerateKey [0xB9ED9C22] SSDT sptd.sys ZwEnumerateValueKey [0xB9ED9F9A] SSDT sptd.sys ZwOpenKey [0xB9ED998E] SSDT sptd.sys ZwQueryKey [0xB9EDA064] SSDT sptd.sys ZwQueryValueKey [0xB9ED9EFC] SSDT sptd.sys ZwSetValueKey [0xB9EDA0EC] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. ? C:\WINDOWS\System32\Drivers\SPTD8701.SYS The process cannot access the file because it is being used by another process. .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B8FA54F0 16 Bytes [ FA, B2, 91, 10, AD, 3B, 4F, ... ] .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B8FA5501 31 Bytes [ 40, FA, B8, C6, 8C, 8F, B5, ... ] ? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process. ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9ED5AD2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9ED5C0E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9ED5B96] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9ED676C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9ED6642] sptd.sys ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 8AC0EBF8 Device \FileSystem\Udfs \UdfsCdRom 8A9AF8E8 Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Udfs \UdfsDisk 8A9AF8E8 Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \Driver\NetBT \Device\NetBT_Tcpip_{585841F7-1DD4-4AC7-A6D6-364A1534A3BF} 89D47748 AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ABC1410 Device \Driver\dmio \Device\DmControl\DmConfig 8ABC1410 Device \Driver\dmio \Device\DmControl\DmPnP 8ABC1410 Device \Driver\dmio \Device\DmControl\DmInfo 8ABC1410 Device \Driver\00000073 \Device\00000053 sptd.sys AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\prodrv06 \Device\ProDrv06 E1EC23F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABC16C8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8ABC16C8 Device \Driver\Cdrom \Device\CdRom0 8A9E6830 Device \FileSystem\Rdbss \Device\FsWrap 89D333C0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Ftdisk \Device\HarddiskVolume3 8ABC16C8 Device \Driver\prohlp02 \Device\ProHlp02 E189D338 Device \Driver\NetBT \Device\NetBt_Wins_Export 89D47748 Device \Driver\NetBT \Device\NetbiosSmb 89D47748 AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 8AC0EE30 AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\NetBT \Device\NetBT_Tcpip_{45DA8E86-FDFA-4A7D-B4F1-16F25E484B3B} 89D47748 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D31548 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D31548 Device \FileSystem\Npfs \Device\NamedPipe 8A52E258 Device \Driver\Ftdisk \Device\FtControl 8ABC16C8 Device \FileSystem\Msfs \Device\Mailslot 89D989F8 Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A8D09F8 Device \FileSystem\Fastfat \Fat 89D3E840 Device \FileSystem\Fastfat \Fat AC54D297 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1353520082 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1871465379 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1571322080 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... ---- Files - GMER 1.0.14 ---- ADS C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP46\A0004733.exe:mian.nest.9.10 18944 bytes executable ---- EOF - GMER 1.0.14 ----
  5. Tigger- Thanks for responding despite the hiatus. Deleted the qoobox folder and downloaded a new Combofix file. Ran scan. Your help is appreciated. ComboFix 09-03-03.01 - Marcus 2009-03-04 17:48:48.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1806 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 ))))))))))))))))))))))))))))))) . 2009-02-24 15:20 . 2009-02-24 15:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-24 23:19 --------- d-----w c:\program files\Common Files\Adobe 2009-02-24 07:36 --------- d-----w c:\program files\HP 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] --- Other Services/Drivers In Memory --- *NewlyCreated* - ENTDRV51 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-04 17:51:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(924) c:\windows\system32\EntApi.dll . Completion time: 2009-03-04 17:53:07 ComboFix-quarantined-files.txt 2009-03-05 01:53:04 ComboFix2.txt 2009-02-24 20:34:34 Pre-Run: 17,573,416,960 bytes free Post-Run: 17,623,048,192 bytes free 128 --- E O F --- 2009-02-24 22:53:47
  6. Hello. This is a continuation of a previous thread located here http://www.malwarebytes.org/forums/index.php?showtopic=11604 I flaked out for a while and the thread was closed. My fault- your previous proficiency and eliminating the major problems and personal frustration with kaspersky delayed my response. I haven't installed/uninstalled any software since last post. No symptoms have appeared/disappeared. I can post a fresh HJT log if you wish. The Kapersky prompts didn't coordinate perfectly with your instructions but I think I worked it out and ran the scan as you asked. It's possible that I am just crummy at interpreting your instructions (my bad) Here's the results- seems that something was found. Long scan time! Again, sorry for the flakeyness. You have been very successful and proficient at disinfecting my machine so far- I'd be bummed to loose your help now. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, March 3, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, March 04, 2009 01:14:06 Records in database: 1866833 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ I:\ Scan statistics: Files scanned: 89601 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 01:08:17 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir Infected: Trojan.Win32.Monder.bdnr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.ahob 1 The selected area was scanned.
  7. One more item- All my system restore points from before infection are still absent. I was hoping that after disinfection, these might be accessible again. I guess it is possible that they were actually deleted/wiped, but I figured I'd let you know.
  8. Things are looking good. I'm still getting some signs of infection. IE is running fine, but google searches on firefox result in random (not consistent) redirects. McAfee is also still disabled on startup, which doesn't seem right. MWBAM scan still coming up with nothing. Any ideas what is causing the firefox bug? should I try uninstalling/reinstalling it? Again, thanks for all your help tigger. +1 to your karma stash.
  9. Okay. Combofix ran the script without event. No reboot necessary. Can't tell if any infection signs have left.. I will post back after reboot/further PC use to tell you if any have been dealt with. ComboFix 09-02-19.01 - Marcus 2009-02-24 12:30:06.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2036 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt * Created a new restore point FILE :: C:\backup.reg C:\cleanup.bat C:\cleanup.exe c:\windows\ccddawrp C:\zip.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\backup.reg C:\cleanup.bat C:\cleanup.exe c:\windows\ccddawrp C:\zip.exe . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-24 12:23 . 2009-02-24 12:23 <DIR> d-------- c:\windows\LastGood 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-24 07:36 --------- d-----w c:\program files\HP 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-24 20:25:55 46,924 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 20:25:55 367,980 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 20:21:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] --- Other Services/Drivers In Memory --- *NewlyCreated* - ENTDRV51 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-24 12:32:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(924) c:\windows\system32\EntApi.dll . Completion time: 2009-02-24 12:34:32 ComboFix-quarantined-files.txt 2009-02-24 20:34:30 ComboFix2.txt 2009-02-24 07:17:52 ComboFix3.txt 2009-02-23 02:02:40 ComboFix4.txt 2009-02-22 19:54:11 ComboFix5.txt 2009-02-24 20:29:31 Pre-Run: 19,575,681,024 bytes free Post-Run: 19,568,209,920 bytes free 154 --- E O F --- 2009-02-11 11:02:51 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:35:29 PM, on 2/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\Explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 7774 bytes
  10. Ran avenger a second time. Here is the "services" prompt that popped up between the "sure you want to execute.." and "reboot.." prompts. "It is dangerous to edit services registry keys directly, if...." sorry, that's all I jotted down.. It's probably irrelevant, but after the 1st run and reboot, the internal speaker in my tower bleeped at me. It's never done that before. Strangely, after the second running of avenger, there was no .txt log report that popped up. maybe it knew that the log would be redundant and identical to the last it produced. I don't know. So I generated another Combofix log... thought it might be more helpful than the avenger log. What's the next plan of attack? ComboFix 09-02-19.01 - Marcus 2009-02-23 23:13:13.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2091 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-23 22:59 . 2009-02-23 22:59 135,168 --a------ C:\zip.exe 2009-02-23 22:59 . 2009-02-23 22:59 19,286 --a------ C:\cleanup.exe 2009-02-23 22:59 . 2009-02-23 22:59 574 --a------ C:\cleanup.bat 2009-02-23 22:59 . 2009-02-23 22:59 0 --a------ C:\backup.reg 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-24 07:06:55 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 07:06:55 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 07:02:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 23:16:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll . Completion time: 2009-02-23 23:17:50 ComboFix-quarantined-files.txt 2009-02-24 07:17:48 ComboFix2.txt 2009-02-23 02:02:40 ComboFix3.txt 2009-02-22 19:54:11 ComboFix4.txt 2009-02-22 03:53:00 Pre-Run: 19,319,517,184 bytes free Post-Run: 19,302,203,392 bytes free 139 --- E O F --- 2009-02-11 11:02:51
  11. Bummer. It seems that the Avenger process was unsuccessful. I executed the script as asked.. there was a confirmation screen (not included in instructions) asking me if I was sure I wanted to run despite the "delete services" command.. I think. Anyways, nothing appears to have changed upon reboot.. infection signs still present. No second reboot was necessary. Here's the log. I'll try running the Avenger script again, see if it returns the same result. I'll post if it does. What's next? Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\windows\system32\drivers\tdssserv.sys" not found! Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found! Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found! Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist
  12. SpyBot did come up with two HKEY Internet explorer issues, but they are probably not responsible for the firefox redirects. (there were no redirect issues with IE)
  13. Okay- Things seem to be improved, but not perfect. McAfee antivirus is still disabled on startup initialization, even though the "enable on startup" option is selected. There are no more IE popups, but seemingly random searches on firefox redirect to strange sites which instigate popups claiming that my PC is infected and I need to click.. etc I doesn't seem to be any huge"parasitic load" on my PC performance from malware, but you could convince me that my system was compromised and only running at 80%-90% I'm running scans with all my malware software. MWBAM returned zero results. Ad-Aware running now, then SpyBot. I'll let you know if they return anything. Do you know what is causing the antivirus disenable and firefox redirects? Cheers- progress has been made. Things are improving.
  14. Alright. Ran the combofix script. It asked to reboot. I did, and signs of infection are still present (McAfee disabled on startup.) What's next? And thanks again. ComboFix 09-02-19.01 - Marcus 2009-02-22 17:53:44.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2029 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\Marcus\Application Data\axepub.bin c:\documents and settings\Marcus\Application Data\ubywuxy.com c:\documents and settings\Marcus\Application Data\ycexim.reg c:\program files\Common Files\ahupebykiw.dl c:\program files\Common Files\efucu.ban c:\program files\Common Files\melo.com c:\program files\Common Files\mudohoc.bat c:\windows\system32\drivers\zkiefzrs.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Marcus\Application Data\axepub.bin c:\documents and settings\Marcus\Application Data\ubywuxy.com c:\documents and settings\Marcus\Application Data\ycexim.reg c:\program files\Common Files\ahupebykiw.dl c:\program files\Common Files\efucu.ban c:\program files\Common Files\melo.com c:\program files\Common Files\mudohoc.bat c:\windows\ccddawrp\ . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_skbgfqnd ((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 ))))))))))))))))))))))))))))))) . 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-23 01:52:53 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-23 01:52:53 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-23 01:58:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_790.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Page_URL = hxxp://www.dell4me.com/myway mDefault_Page_URL = hxxp://www.dell4me.com/myway mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 17:59:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(868) c:\windows\system32\MrvGINA.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\ehome\ehRecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Network Associates\Common Framework\FrameworkService.exe c:\program files\Network Associates\VirusScan\vstskmgr.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\dllhost.exe c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\ehome\ehmsas.exe c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe c:\documents and settings\Marcus\Desktop\iPod\bin\iPodService.exe c:\program files\NETGEAR\WG311v3\wlancfg5.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2009-02-22 18:02:39 - machine was rebooted [Marcus] ComboFix-quarantined-files.txt 2009-02-23 02:02:36 ComboFix2.txt 2009-02-22 19:54:11 ComboFix3.txt 2009-02-22 03:53:00 Pre-Run: 19,675,172,864 bytes free Post-Run: 19,662,004,224 bytes free 187 --- E O F --- 2009-02-11 11:02:51 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:05:53 PM, on 2/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 8499 bytes
  15. Oops- thought I grabbed the whole thing last time. Sorry. Must have gotten impatient with my copy-paste. Here ya go. Thanks! ComboFix 09-02-19.01 - Marcus 2009-02-22 11:49:05.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1915 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 ))))))))))))))))))))))))))))))) . 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com 2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg 2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat 2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl 2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban 2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com 2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-22 19:47:07 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-22 19:47:07 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-22 19:43:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=mvoqas.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S0 skbgfqnd;skbgfqnd;c:\windows\system32\drivers\zkiefzrs.sys --> c:\windows\system32\drivers\zkiefzrs.sys [?] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 11:52:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(860) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(920) c:\windows\system32\EntApi.dll . Completion time: 2009-02-22 11:54:08 ComboFix-quarantined-files.txt 2009-02-22 19:54:05 ComboFix2.txt 2009-02-22 03:53:00 Pre-Run: 19,710,701,568 bytes free Post-Run: 19,695,915,008 bytes free 149 --- E O F --- 2009-02-11 11:02:51