PDA

View Full Version : Can't install Spybot and can't access safer-networking website


monkeymiles
2010-06-24, 09:29
Hit a website that looked like it unistalled flash player, clicked to reinstall it, then brain kicked in and tried to abort, couple of funnies since.

Use Zonealarm firewall and anti-virus (active checking is off as my machine goes to slow, but it checks my email). Have run a deep scan with this and it found a couple of backdoor virus's which it claims to have removed, but still have issues.

Unfortunatly spybot was not yet installed on this machine, kicks self, and I can;t install it as can't see your server.

Looks like I still have something buried in my machine.

Many thanks in advance for your help.

I have backed up registery with ERUNT and attached DDS logs as requested.

Best regards

Karl

DDS (Ver_10-03-17.01) - NTFSx86
Run by Karl at 8:10:39.01 on 24/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.1823 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\altera\81\quartus\bin\jtagserver.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Windows\system32\cidaemon.exe
C:\Windows\system32\cidaemon.exe
C:\Windows\system32\cidaemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\MsFTEFD.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Karl.GOEPELUK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyServer = 172.16.1.17:800
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
BHO: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [\\SERVER\EPSON Stylus Photo R240 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /f "c:\docume~1\karl~1.goe\locals~1\temp\E_S124.tmp" /EF "HKLM"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /installquiet
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EPSON Stylus Photo R240 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /f "c:\windows\temp\E_SD5.tmp" /EF "HKLM"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [\\Karlhome\EPSON Stylus Photo R240 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /f "c:\docume~1\karl~1.goe\locals~1\temp\E_S2C.tmp" /EF "HKLM"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Memeo Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: xilinx.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://goepel-elec-uk/connectcomputer/nshelp.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152191595828
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://mvt.mcafee.com/mvt/bin/3,0,1,0/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://172.23.24.62/codebase/DVM_IPCam2.ocx
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://goepel.webex.com/client/T26L/support/ieatgpc.cab
TCP: NameServer = 93.188.162.59,93.188.161.189
TCP: {52C56726-4FAB-4D6F-B4B6-0F2E423C40EE} = 93.188.162.59,93.188.161.189
TCP: {FB9D61C7-4E3E-4428-B0D7-65A15403444E} = 93.188.162.59,93.188.161.189
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
AppInit_DLLs: c:\progra~1\google\go333c~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karl~1.goe\applic~1\mozilla\firefox\profiles\8lhwfa6p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\karl.goepeluk\application data\mozilla\firefox\profiles\8lhwfa6p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\karl.goepeluk\application data\mozilla\firefox\profiles\8lhwfa6p.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\karl.goepeluk\application data\mozilla\firefox\profiles\8lhwfa6p.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\karl.goepeluk\application data\mozilla\firefox\profiles\8lhwfa6p.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\karl.goepeluk\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-20 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-20 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-20 486280]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 CVB;CVB;c:\windows\system32\drivers\CVB.sys [2008-2-25 6272]
R2 FAD;FAD;c:\program files\broadcom\bacs\FADXP32.sys [2003-1-30 11904]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-9 25824]
R2 msftesql$GOLDMINE;SQL Server FullText Search (GOLDMINE);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592]
R2 MSSQL$GOLDMINE;SQL Server (GOLDMINE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-11 328992]
R2 SQLAgent$GOLDMINE;SQL Server Agent (GOLDMINE);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 gupdate1c964774fd27f82;Google Update Service (gupdate1c964774fd27f82);c:\program files\google\update\GoogleUpdate.exe [2008-12-22 133104]
S2 sfxpciwd;SFXPCI;c:\windows\system32\drivers\sfxpciwd.sys --> c:\windows\system32\drivers\sfxpciwd.sys [?]
S2 USBDVR2;Cirrus Logic USB-DVR2 Dev Board;c:\windows\system32\drivers\usbdvr2n.sys [2008-8-4 31829]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftd2xx.sys --> c:\windows\system32\drivers\FTD2XX.sys [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\drivers\dlinkudsmbus.sys --> c:\windows\system32\drivers\DlinkUDSMBus.sys [?]
S3 elDiag;Diagostics Port Device Driver;c:\windows\system32\drivers\ftd2xx.sys --> c:\windows\system32\drivers\FTD2XX.sys [?]
S3 elUsbCardBus;elu132.sys device driver;c:\windows\system32\drivers\elu132.sys [2006-7-26 95360]
S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2006-7-6 16256]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2006-7-6 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2006-7-6 23296]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys --> c:\windows\system32\drivers\gflmouhid.sys [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-6-18 30192]
S3 GUSB_Platform;GUSB_Platform;c:\windows\system32\drivers\GUSB_Platform.sys [2007-8-9 172772]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-5-14 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-5-14 8320]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 Sfx1149_USB;Sfx1149_USB;c:\windows\system32\drivers\sfx1149_USB.sys [2006-7-11 29184]
S3 TSClient;Tatara Protocol Driver;c:\windows\system32\drivers\tsclient.sys --> c:\windows\system32\drivers\tsclient.sys [?]
S3 UsbScanBooster;UsbScanBooster;c:\windows\system32\drivers\UsbScanBooster.sys [2006-10-7 29184]
S3 vrmusb;vrmusb;c:\windows\system32\drivers\vrmUSB.sys [2006-12-14 16000]
S3 XilinxFirmwareEmbeddedLoader;XilinxFirmwareEmbeddedLoader;c:\windows\system32\drivers\xusb_xup.sys [2007-8-18 17408]
S3 XilinxFirmwareEmbeddedLpLoader;XilinxFirmwareEmbeddedLpLoader;c:\windows\system32\drivers\xusb_emb.sys [2007-8-18 17408]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [2007-8-18 17280]
S3 XilinxFirmwareLpLoader;XilinxFirmwareLpLoader;c:\windows\system32\drivers\xusb_xlp.sys [2007-8-18 17280]
S3 XilinxFirmwareXpressLoader;XilinxFirmwareXpressLoader;c:\windows\system32\drivers\xusb_xpr.sys [2007-8-18 16768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

============== File Associations ===============

.txt=TextPad.txt

=============== Created Last 30 ================

2010-06-21 16:17:20 0 d-----w- c:\program files\1-abc
2010-06-15 16:05:24 0 d-----w- c:\docume~1\karl~1.goe\applic~1\PGP Corporation
2010-06-15 16:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PGP Corporation
2010-06-15 10:57:24 192022 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-06-15 10:57:04 0 d-----w- c:\program files\PGP Corporation
2010-06-15 10:57:04 0 d-----w- c:\program files\common files\PGP Corporation
2010-06-10 10:38:33 100032 ----a-w- c:\windows\system32\drivers\sfxpcxwd.sys
2010-06-09 21:33:25 3276 ----a-w- c:\windows\system32\wbem\Outlook_01cb081b64681cb8.mof
2010-06-09 16:22:26 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 16:21:00 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll
2010-06-07 16:40:46 0 d-----w- c:\program files\Digiarty
2010-06-03 08:08:46 0 d-----w- c:\docume~1\karl~1.goe\applic~1\OpenOffice.org
2010-06-03 07:57:07 0 d-----w- c:\program files\OpenOffice.org 3
2010-06-02 06:33:22 0 d-----w- c:\program files\common files\wsm
2010-06-02 06:33:21 0 d-----w- c:\program files\Kate's Video Converter
2010-06-01 11:37:39 0 d-----w- c:\docume~1\karl~1.goe\applic~1\Digiarty
2010-06-01 11:02:44 0 d-----w- C:\divx
2010-06-01 08:55:32 0 d-----w- c:\documents and settings\karl.goepeluk\.dvdcss
2010-06-01 08:52:07 0 d-----w- c:\docume~1\karl~1.goe\applic~1\Leawo
2010-06-01 08:40:49 179 ----a-w- c:\windows\DVD To AVI Converter.ini
2010-06-01 08:20:45 180 ----a-w- c:\windows\pro DVD To AVI Converter.ini
2010-06-01 08:19:37 9 ----a-w- c:\windows\system32\DVD To AVI Converter1009.dat
2010-06-01 08:19:22 606208 ----a-w- c:\windows\system32\xvidcore.dll
2010-06-01 08:19:22 139264 ----a-w- c:\windows\system32\xvidvfw.dll
2010-06-01 08:19:22 139264 ----a-w- c:\windows\system32\xvid.ax
2010-06-01 08:19:22 0 d-----w- c:\program files\TOP Software
2010-06-01 08:10:18 1 ----a-w- c:\windows\system32\SysDVDtoAVI.dat
2010-05-31 21:03:53 0 d-----w- c:\docume~1\karl~1.goe\applic~1\AVS4YOU
2010-05-31 21:00:48 0 d-----w- c:\program files\common files\AVSMedia
2010-05-31 21:00:37 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-05-31 21:00:37 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-05-31 21:00:37 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-05-31 20:45:02 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-05-30 11:43:40 0 d-----w- C:\Server Sync modified files
2010-05-30 11:42:36 0 d-----w- C:\Server Sync deleted files
2010-05-30 11:31:52 0 d-----w- C:\Server Sync

==================== Find3M ====================

2010-06-23 07:51:38 87564 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-18 07:24:36 586034 ----a-w- c:\windows\system32\nvModes.dat
2010-06-08 15:56:19 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 11:13:00 72080 ----a-w- c:\documents and settings\karl.goepeluk\g2mdlhlpx.exe
2010-05-14 19:35:04 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-05-14 19:35:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-30 08:10:02 38756 ----a-w- c:\windows\system32\drivers\pxi5396w.sys
2010-04-26 10:24:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-08 12:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 03:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe

============= FINISH: 8:14:08.82 ===============
Blade81
2010-06-28, 10:13
Hi,

If you still need help with this post fresh dds.txt contents, please.
monkeymiles
2010-06-28, 12:27
I found the problem, looks like the malware had changed my settings to point to a dodgy DNS server, I changed this back to correct.

Can now install and run spybot, nothing suspicious was found.

Any advice on further checks to ensure I am clean?

Refreshed DDS output attached
Blade81
2010-06-28, 13:24
Hi,

Were the DNS settings set as "obtain automatically"? If so then the router giving those settings should be checked for possible DNS hijack.
monkeymiles
2010-06-28, 13:34
I have looked on my ISPs website and the DNS server IPs that my router and consequently my PC is picking up are as published on their website.

Also when I had the issue only 1 PC was affected, I could install and update spybot on the 4 other PCs on my network. I have run virus checks on all my machines.
Blade81
2010-06-28, 19:11
Ok. I'd still make sure router password is not the default one since some DNS hijacker infections are able to modify router DNS settings if password isn't changed.

Other things I recommend to do is to enable system restore functionality (didn't see any system restore point there so I assume functionality is disabled) and install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to keep software up-to-date.

To enable system restore:
1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. UN-Check *Turn off System Restore*.
5. Click Apply, and then click OK.
monkeymiles
2010-06-28, 21:51
Router is not on default password, just downloading secunia, system restore is on, I had a clean out and deleted old system restores etc and defragged drive.

In hindsight maybe not the best thing until I was sure I was clean.

Many thanks for help, anything else to check?
Blade81
2010-06-28, 22:34
You're welcome :)


anything else to check?
No, unless there're issues left.
monkeymiles
2010-06-28, 22:39
All sorted, case closed. Pride took a bit of a dent though.
Blade81
2010-06-28, 22:57
Shall move this into archive then :)