PDA

View Full Version : malware prevents S and D from installing



juliomolin
2010-07-10, 19:54
DDS (Ver_10-03-17.01) - NTFSx86
Run by Casa at 17:44:09.79 on Sat 07/10/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1021.620 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100710-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\vkfbphd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\fw1884panel.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Casa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.farn-ct.ac.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://es.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\vkfbphd.exe,
uWindows: load=c:\windows\system32\vkfbphd.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\notebook software\NotebookPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Com32] c:\windows\system32\vkfbphd.exe
uRunServicesOnce: [LogServ] c:\windows\system32\vkfbphd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CHotkey] mHotkey.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartFw1884Panel] fw1884panel.exe H
mRun: [nMTaskBarService] nMtsk.exe
mRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [AS00_Gear511] c:\program files\netgear\wg511scu\utility.\Gear511.exe -hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WindowsDefender] c:\windows\system32\vkfbphd.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\casa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278759056125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\casa\applic~1\mozilla\firefox\profiles\qx0m8oe4.julio\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-10 114768]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 166632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-8 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 840936]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-8 352920]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-12-4 16194]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-6-4 33792]
R3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [2007-12-4 488992]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1c991fa1993fbf0;Google Update Service (gupdate1c991fa1993fbf0);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S3 Fw1884;Driver for FW-1884;c:\windows\system32\drivers\Fw1884.sys [2004-3-9 141983]
S3 Fw1884WdmService;%FdgWdmSvcDesc%;c:\windows\system32\drivers\FW1884Wdm.sys [2004-3-8 89008]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2008-12-22 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2008-12-22 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2008-12-22 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2008-12-22 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2008-12-22 86368]
S3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [2005-11-21 54896]
S3 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 59240]

=============== Created Last 30 ================

2010-07-10 11:32:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-07-10 10:51:21 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-10 10:51:14 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-07-10 10:51:14 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-07-10 10:51:14 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-07-10 10:51:14 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-10 10:51:10 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-10 10:24:42 0 d-----w- c:\program files\Trend Micro
2010-07-10 10:19:59 434176 --sha-r- C:\explorer.exe
2010-07-08 18:12:52 434176 --sha-r- c:\windows\system32\cffmon.exe
2010-07-08 07:01:17 0 d-----w- c:\docume~1\casa\applic~1\Malwarebytes
2010-07-08 07:01:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-08 07:01:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-08 07:01:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 07:01:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 09:15:59 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-24 09:15:59 1409 ----a-w- c:\windows\QTFont.for
2010-06-23 21:23:12 65536 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-06-23 21:23:12 49152 ----a-w- c:\windows\system32\QuickTime.qts
2010-06-23 21:23:05 0 d-----w- c:\program files\QuickTime Alternative
2010-06-23 21:23:05 0 d-----w- c:\program files\Media Player Classic

==================== Find3M ====================

2010-06-03 20:51:52 68880 ----a-w- c:\windows\system32\XZip.dll
2010-05-09 21:35:39 42740 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-18 09:21:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2008-10-02 18:35:28 7747944 ----a-w- c:\program files\SFTPMSI.exe
2006-03-23 07:27:10 488992 ----a-w- c:\windows\inf\wg511nd5.sys
2001-08-23 12:00:00 434176 --sha-r- c:\windows\system32\cffmon.exe
2008-05-16 14:10:09 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2001-08-23 12:00:00 434176 --sha-r- c:\windows\system32\vkfbphd.exe

============= FINISH: 17:44:45.57 ===============

Blade81
2010-07-14, 23:25
Hi,

Please post attach.txt part of DDS run too.

juliomolin
2010-07-15, 00:47
Please find the "attach" file, attached.
Thanks
Julio

Blade81
2010-07-15, 00:53
Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent
eMule


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

juliomolin
2010-07-16, 02:35
Hello,
Thank you for your time.

I uninstalled the P2P programmes and ran combofix with the antivirus deactivated.

Combofix completed its 50 stages and then when it continued to the stage where it deletes files, the computer blue-screened. I restarted and tried again with the same result.

This is the same problem that I had with Spybot or any other antimalware.
I do not know about malware, but on the task manager I have seen the process vkfbphd.exe running (and the computer bluescreens if I try to delete it).

Also, upon managing a scan with antimalware, I had detected a rootkit malware called explorer.exe (located in C:\explorer.exe and not in C:\windows\explorer.exe where it should be).
I don't know if this helps.

I appreciate any help you can give me to continue fixing this malware problem.

Thanks
Julio

Blade81
2010-07-16, 08:15
Hi,

Could you try to run ComboFix in safe mode (if reboot is needed make sure system enters the safe mode again)?

juliomolin
2010-07-16, 20:40
Hi,

Could you try to run ComboFix in safe mode (if reboot is needed make sure system enters the safe mode again)?

Hi,
sorry, it's still happening.
I tried running Combofix in safe mode and it still blue-screens when it is about to delete files (after completing all 50 stages).

What might I try next?

Thank you for your time,
Julio

Blade81
2010-07-16, 21:49
Hi,

Could you note down the message in blue screen, please?

juliomolin
2010-07-16, 23:36
Hi,

Could you note down the message in blue screen, please?

A problem has been detected and windows has been shut down to prevent damage.

A process thread crucial to system operation has unexpectedly exited or been terminated.

Stop: 0x000000F4 (0x00000003, 0x86D49C08, 0x86D49D7C, 0x80604418)

Blade81
2010-07-17, 00:27
Hi,

Was ComboFix able to install recovery console earlier (when you start the system there should be Microsoft recovery console option visible together with Windows XP Professional option before Windows loading screen)? Please continue if recovery console is visible (you could test it is accessible too).

Start MBAM, update its database and run a quick scan letting it remove its findings. Post back the report + fresh dds.txt log.

juliomolin
2010-07-17, 18:40
Hi,

Was ComboFix able to install recovery console earlier (when you start the system there should be Microsoft recovery console option visible together with Windows XP Professional option before Windows loading screen)? Please continue if recovery console is visible (you could test it is accessible too).

Start MBAM, update its database and run a quick scan letting it remove its findings. Post back the report + fresh dds.txt log.

Yes, I have checked that the Recovery Console is visible as an option upon booting the computer (I also checked that it's accessible).

I am attaching the MBAM report as an attachment and a new DDS here in this post, as text.

Thanks
Julio


DDS (Ver_10-03-17.01) - NTFSx86
Run by Casa at 16:13:09.45 on Sat 07/17/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1021.479 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100717-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\vkfbphd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\fw1884panel.exe
C:\WINDOWS\nMtsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Casa\Desktop\malware hunt\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.farn-ct.ac.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://es.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\vkfbphd.exe,
uWindows: load=c:\windows\system32\vkfbphd.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\notebook software\NotebookPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Com32] c:\windows\system32\vkfbphd.exe
uRunServicesOnce: [LogServ] c:\windows\system32\vkfbphd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CHotkey] mHotkey.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartFw1884Panel] fw1884panel.exe H
mRun: [nMTaskBarService] nMtsk.exe
mRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [AS00_Gear511] c:\program files\netgear\wg511scu\utility.\Gear511.exe -hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WindowsDefender] c:\windows\system32\vkfbphd.exe
StartupFolder: c:\docume~1\casa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278759056125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\casa\applic~1\mozilla\firefox\profiles\qx0m8oe4.julio\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-10 114768]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-8 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-8 352920]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-12-4 16194]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-6-4 33792]
R3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [2007-12-4 488992]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1c991fa1993fbf0;Google Update Service (gupdate1c991fa1993fbf0);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-7-17 256512]
S3 Fw1884;Driver for FW-1884;c:\windows\system32\drivers\Fw1884.sys [2004-3-9 141983]
S3 Fw1884WdmService;%FdgWdmSvcDesc%;c:\windows\system32\drivers\FW1884Wdm.sys [2004-3-8 89008]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2008-12-22 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2008-12-22 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2008-12-22 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2008-12-22 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2008-12-22 86368]
S3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [2005-11-21 54896]
S3 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]

=============== Created Last 30 ================

2010-07-17 14:49:34 0 d-s---w- C:\ComboFix
2010-07-17 14:49:25 434176 --sha-r- C:\explorer.exe
2010-07-17 14:00:11 204800 ----a-w- c:\windows\nMconfig.exe
2010-07-16 22:31:13 0 d-----w- c:\windows\system32\XPSViewer
2010-07-16 22:30:05 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-16 22:30:05 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-16 22:30:05 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-16 22:30:05 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-16 22:30:05 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-16 22:30:05 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-16 22:30:05 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-16 22:30:04 0 d-----w- C:\513eea74815cfa5d51d9
2010-07-16 22:17:18 0 d-----w- c:\windows\system32\KB905474
2010-07-16 22:15:35 294912 -c----w- c:\windows\system32\dllcache\msctf.dll
2010-07-16 21:47:59 0 d-----w- c:\program files\MSXML 4.0
2010-07-16 18:31:10 0 d-----w- c:\windows\system32\CatRoot_bak
2010-07-16 18:09:16 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-16 18:07:22 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-07-16 18:07:02 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-16 18:05:19 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-07-16 18:05:08 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-07-16 18:03:21 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-07-16 18:00:22 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-07-16 18:00:02 293376 ------w- c:\windows\system32\browserchoice.exe
2010-07-16 17:54:01 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-07-16 17:49:20 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-07-16 17:49:20 1196000 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-07-15 22:52:13 0 d-sha-r- C:\cmdcons
2010-07-15 22:48:26 98816 ----a-w- c:\windows\sed.exe
2010-07-15 22:48:26 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 22:48:26 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 22:48:26 161792 ----a-w- c:\windows\SWREG.exe
2010-07-10 11:32:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-07-10 10:51:21 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-10 10:51:14 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-07-10 10:51:14 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-07-10 10:51:14 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-07-10 10:51:14 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-10 10:51:10 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-10 10:24:42 0 d-----w- c:\program files\Trend Micro
2010-07-08 07:01:17 0 d-----w- c:\docume~1\casa\applic~1\Malwarebytes
2010-07-08 07:01:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-08 07:01:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-08 07:01:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 07:01:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 09:15:59 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-24 09:15:59 1409 ----a-w- c:\windows\QTFont.for
2010-06-23 21:23:12 65536 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-06-23 21:23:12 49152 ----a-w- c:\windows\system32\QuickTime.qts
2010-06-23 21:23:05 0 d-----w- c:\program files\QuickTime Alternative
2010-06-23 21:23:05 0 d-----w- c:\program files\Media Player Classic

==================== Find3M ====================

2010-06-03 20:51:52 68880 ----a-w- c:\windows\system32\XZip.dll
2010-05-09 21:35:39 42740 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-10-02 18:35:28 7747944 ----a-w- c:\program files\SFTPMSI.exe
2006-03-23 07:27:10 488992 ----a-w- c:\windows\inf\wg511nd5.sys
2008-05-16 14:10:09 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2001-08-23 12:00:00 434176 --sha-r- c:\windows\system32\vkfbphd.exe

============= FINISH: 16:14:09.53 ===============

Blade81
2010-07-17, 22:25
Hi,

Open notepad and copy/paste the text in the codebox below into it:



@echo off
for %%g in (
C:\explorer.exe
c:\windows\system32\vkfbphd.exe
C:\WINDOWS\system32\cffmon.exe
) if exist %%g do zip Files_for_submission %%g
del %0


Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload the file to this website: http://www.bleepingcomputer.com/submit-malware.php?channel=76

Kindly include a link to this topic in the message.

juliomolin
2010-07-20, 01:06
Hi,

Open notepad and copy/paste the text in the codebox below into it:



@echo off
for %%g in (
C:\explorer.exe
c:\windows\system32\vkfbphd.exe
C:\WINDOWS\system32\cffmon.exe
) if exist %%g do zip Files_for_submission %%g
del %0


Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload the file to this website: http://www.bleepingcomputer.com/submit-malware.php?channel=76

Kindly include a link to this topic in the message.

I can't get the .bat to run. I don't know why. It seems to do something for a brief instant but is closed immediately.

Blade81
2010-07-20, 01:20
Hi,

Have these instructions saved somewhere since you won't be able to access them in recovery console.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd system32

6. At the next prompt, type the following bolded text, and press Enter:

ren vkfbphd.exe vkfbphd.bad

7. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. See if you're able to run ComboFix after that.

Blade81
2010-07-26, 10:06
Hi,

Are you still there?

juliomolin
2010-07-28, 22:53
Hi,

Are you still there?

Hi Blade,

Sorry I haven't replied recently, I had been busy with other things and hadn't had the chance to apply the fixes.

In any case, it seems you have helped me reach a solution!
I started up in the recovery console and renamed the bug. Then I could run Combo fix, then Spybot, Malwarebytes and Avast and it seems like the system is healthy again.

I am attaching a new DDS, the combo fix and Malwarebytes report.

Also I think I have fixed my wife's computer, which appeared to be infected with the same type of bug. But the file that was the bug (in system32) had a different name. So I found the name of the bug by researching the DDS report in comparison to mine, and then renamed it in the recovery console. And I also used combofix.

So please give the reports a look if you consider it useful.

I appreciate very VERY much your help. I am impressed by your generosity with your time, especially with people whom you have not met more than over a forum. I am sure that your helpful acts will come back to you in some way or another. I am a filmmaker and video editor, if I can help you with anything please let me know.

Best regards,
Julio

Blade81
2010-07-29, 00:26
Good to hear we're making progress there :)

Upload c:\windows\nMconfig.exe file to http://www.virustotal.com and post back the results.

Open notepad and copy/paste the text in the quotebox below into it:



Folder::
c:\documents and settings\Casa\Application Data\BitTorrent



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Blade81
2010-08-04, 00:56
Have you had time to take the steps yet? :)

Blade81
2010-08-10, 09:35
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.