Need help with possible virtumonde virus/trojan
- Thread starter eaglescout
- Start date
eaglescout
New member
latest combofix log
Sorry for the delay, didn't see your reply on page 3...here is the latest combofix log...
ComboFix 10-07-06.05 - Owner 07/07/2010 15:50:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.163 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-E7D118DC12\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-E7D118DC12\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\mgvpbuw.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\mgvpbuw.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.
2010-07-06 22:03 . 2010-07-06 22:03 -------- d-----w- c:\program files\trend micro
2010-07-06 22:03 . 2010-07-06 22:03 -------- d-----w- C:\rsit
2010-07-06 03:05 . 2010-07-06 03:13 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\QuickScan
2010-07-06 02:57 . 2010-07-06 02:57 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\K-Meleon
2010-07-06 02:56 . 2010-07-06 02:57 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\K-Meleon
2010-07-06 02:56 . 2010-07-06 02:56 -------- d-----w- c:\program files\K-Meleon
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\program files\ERUNT
2010-07-03 18:08 . 2010-07-03 18:36 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\tor
2010-07-03 17:35 . 2010-07-03 18:09 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Vidalia
2010-07-02 19:47 . 2010-07-02 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-02 18:53 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-02 18:52 . 2010-07-02 18:52 -------- d-----w- c:\program files\Panda Security
2010-07-02 18:38 . 2010-07-02 18:38 -------- d-----w- c:\program files\ESET
2010-07-02 17:59 . 2010-07-02 17:59 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Auslogics
2010-07-02 17:57 . 2010-07-02 17:57 -------- d-----w- c:\program files\Auslogics
2010-07-02 17:27 . 2010-07-02 17:27 -------- d-----w- c:\program files\CCleaner
2010-07-02 17:26 . 2010-07-02 17:26 -------- d-----w- c:\program files\ToniArts
2010-07-02 04:11 . 2010-07-02 04:11 791393 ----a-w- C:\erunt-setup(2).exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 14:25 . 2009-05-11 01:56 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-07 02:58 . 2009-12-25 17:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-03 15:54 . 2009-09-05 03:02 1 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-03 12:36 . 2010-05-19 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-02 19:48 . 2010-07-02 19:48 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-02 17:26 . 2006-11-23 00:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 17:18 . 2010-07-02 17:18 63488 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-02 17:18 . 2009-12-25 17:27 117760 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-04 20:13 . 2009-02-17 17:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-30 21:33 . 2010-05-30 21:33 127 ----a-w- c:\documents and settings\Boss\Local Settings\Application Data\fusioncache.dat
2010-05-26 02:24 . 2010-05-22 02:30 117760 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-25 00:38 . 2010-05-25 00:38 -------- d-----w- c:\program files\Photo Story 3 for Windows
2010-05-23 13:18 . 2010-05-19 23:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 02:30 . 2010-05-22 02:30 63488 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-22 02:30 . 2010-05-22 02:30 52224 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-22 02:29 . 2010-05-22 02:29 -------- d-----w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com
2010-05-22 01:06 . 2010-05-22 01:06 -------- d-----w- c:\documents and settings\Boss\Application Data\Malwarebytes
2010-05-21 00:20 . 2007-01-20 19:26 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Apple Computer
2010-05-21 00:17 . 2007-07-03 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-18 15:23 . 2010-05-18 15:23 -------- d-----w- c:\documents and settings\Boss\Application Data\Skinux
2010-05-18 15:23 . 2010-05-18 15:22 -------- d-----w- c:\documents and settings\Boss\Application Data\ArcSoft
2010-05-18 00:29 . 2006-12-29 22:27 40416 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-17 02:52 . 2010-05-17 02:52 63488 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-17 02:52 . 2010-05-17 02:52 52224 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-17 02:52 . 2010-05-17 02:52 117760 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-17 02:52 . 2010-05-17 02:52 -------- d-----w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com
2010-05-14 21:57 . 2010-05-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-14 21:47 . 2010-05-14 21:53 343906 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-05-14 21:33 . 2010-04-03 11:30 439816 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Real\Update\setup3.10\setup.exe
2010-05-14 01:38 . 2010-05-14 01:38 -------- d-----w- c:\documents and settings\Donna\Application Data\Malwarebytes
2010-05-14 00:16 . 2010-05-14 00:16 -------- d-----w- c:\documents and settings\Donna\Application Data\Apple Computer
2010-05-14 00:16 . 2010-05-14 00:12 40416 ----a-w- c:\documents and settings\Donna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 00:13 . 2006-11-23 00:19 -------- d-----w- c:\program files\Google
2010-05-14 00:13 . 2010-05-14 00:12 -------- d-----w- c:\documents and settings\Donna\Application Data\ArcSoft
2010-05-14 00:13 . 2010-05-14 00:13 -------- d-----w- c:\documents and settings\Donna\Application Data\Skinux
2010-05-05 22:04 . 2010-01-10 01:22 0 ----a-w- c:\windows\Ysizesux.bin
2010-05-02 05:56 . 2006-06-17 09:23 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 12:06 . 2010-01-10 01:22 120 ----a-w- c:\windows\Qnaxejadazay.dat
2010-04-29 19:39 . 2009-12-24 15:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-24 15:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 15:23 . 2007-02-23 15:57 2816 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\wklnhst.dat
2010-04-20 05:51 . 2006-06-17 09:23 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 19:11 . 2008-11-04 17:32 36124 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-16 15:20 . 2006-06-17 09:23 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2006-06-17 09:23 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-15 04:28 . 2006-06-19 04:25 40416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-07-07_03.16.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 14:25 . 2010-07-07 14:25 16384 c:\windows\Temp\Perflib_Perfdata_65c.dat
+ 2010-07-07 13:16 . 2010-07-07 13:16 249856 c:\windows\ERDNT\AutoBackup\7-7-2010\Users\00000002\UsrClass.dat
+ 2010-07-07 13:16 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-7-2010\ERDNT.EXE
+ 2010-07-07 13:16 . 2010-07-07 13:16 9551872 c:\windows\ERDNT\AutoBackup\7-7-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
c:\documents and settings\Boss\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk.disabled [2010-7-2 783]
c:\documents and settings\Owner.YOUR-E7D118DC12\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 05:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 05:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 05:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 20:09 57344 ------w- c:\program files\Lexmark X74-X75\lxbbbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2006-11-07 19:49 1121280 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 02:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 02:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SanaSafeConnect]
2007-10-18 23:23 1731096 ----a-r- c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaSafeConnect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 00:22 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-05 23:30 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/2/2010 2:53 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 67656]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaSafeConnectWatcher.exe [10/18/2007 7:23 PM 547352]
R2 sbupdate;SentryBay Update Service;c:\program files\SentryBay\sbupdate.exe [3/8/2009 5:30 PM 41272]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectDriver.sys [10/18/2007 7:24 PM 160280]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectFilter.sys [10/18/2007 7:24 PM 30232]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectShim.sys [10/18/2007 7:24 PM 27312]
S2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaAgent.exe [10/18/2007 7:23 PM 5218328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hughhewitt.townhall.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Mozilla\Firefox\Profiles\2rtg5gsv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://hotair.com/
FF - component: c:\program files\SentryBay\PhishLock\ffext\components\plext.dll
FF - component: c:\program files\SentryBay\Secure Browse\toolbar\ffext\components\registrationkey.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 15:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-07-07 16:02:47
ComboFix-quarantined-files.txt 2010-07-07 20:02
ComboFix2.txt 2010-07-07 03:20
Pre-Run: 76,622,987,264 bytes free
Post-Run: 76,602,650,624 bytes free
- - End Of File - - A4B8BEAE3F49FF561C3E372821B3AB04
Sorry for the delay, didn't see your reply on page 3...here is the latest combofix log...
ComboFix 10-07-06.05 - Owner 07/07/2010 15:50:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.163 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-E7D118DC12\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-E7D118DC12\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\mgvpbuw.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\mgvpbuw.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.
2010-07-06 22:03 . 2010-07-06 22:03 -------- d-----w- c:\program files\trend micro
2010-07-06 22:03 . 2010-07-06 22:03 -------- d-----w- C:\rsit
2010-07-06 03:05 . 2010-07-06 03:13 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\QuickScan
2010-07-06 02:57 . 2010-07-06 02:57 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\K-Meleon
2010-07-06 02:56 . 2010-07-06 02:57 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\K-Meleon
2010-07-06 02:56 . 2010-07-06 02:56 -------- d-----w- c:\program files\K-Meleon
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\program files\ERUNT
2010-07-03 18:08 . 2010-07-03 18:36 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\tor
2010-07-03 17:35 . 2010-07-03 18:09 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Vidalia
2010-07-02 19:47 . 2010-07-02 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-02 18:53 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-02 18:52 . 2010-07-02 18:52 -------- d-----w- c:\program files\Panda Security
2010-07-02 18:38 . 2010-07-02 18:38 -------- d-----w- c:\program files\ESET
2010-07-02 17:59 . 2010-07-02 17:59 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Auslogics
2010-07-02 17:57 . 2010-07-02 17:57 -------- d-----w- c:\program files\Auslogics
2010-07-02 17:27 . 2010-07-02 17:27 -------- d-----w- c:\program files\CCleaner
2010-07-02 17:26 . 2010-07-02 17:26 -------- d-----w- c:\program files\ToniArts
2010-07-02 04:11 . 2010-07-02 04:11 791393 ----a-w- C:\erunt-setup(2).exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 14:25 . 2009-05-11 01:56 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-07 02:58 . 2009-12-25 17:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-03 15:54 . 2009-09-05 03:02 1 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-03 12:36 . 2010-05-19 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-02 19:48 . 2010-07-02 19:48 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-02 17:26 . 2006-11-23 00:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 17:18 . 2010-07-02 17:18 63488 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-02 17:18 . 2009-12-25 17:27 117760 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-04 20:13 . 2009-02-17 17:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-30 21:33 . 2010-05-30 21:33 127 ----a-w- c:\documents and settings\Boss\Local Settings\Application Data\fusioncache.dat
2010-05-26 02:24 . 2010-05-22 02:30 117760 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-25 00:38 . 2010-05-25 00:38 -------- d-----w- c:\program files\Photo Story 3 for Windows
2010-05-23 13:18 . 2010-05-19 23:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 02:30 . 2010-05-22 02:30 63488 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-22 02:30 . 2010-05-22 02:30 52224 ----a-w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-22 02:29 . 2010-05-22 02:29 -------- d-----w- c:\documents and settings\Boss\Application Data\SUPERAntiSpyware.com
2010-05-22 01:06 . 2010-05-22 01:06 -------- d-----w- c:\documents and settings\Boss\Application Data\Malwarebytes
2010-05-21 00:20 . 2007-01-20 19:26 -------- d-----w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Apple Computer
2010-05-21 00:17 . 2007-07-03 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-18 15:23 . 2010-05-18 15:23 -------- d-----w- c:\documents and settings\Boss\Application Data\Skinux
2010-05-18 15:23 . 2010-05-18 15:22 -------- d-----w- c:\documents and settings\Boss\Application Data\ArcSoft
2010-05-18 00:29 . 2006-12-29 22:27 40416 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-17 02:52 . 2010-05-17 02:52 63488 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-17 02:52 . 2010-05-17 02:52 52224 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-17 02:52 . 2010-05-17 02:52 117760 ----a-w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-17 02:52 . 2010-05-17 02:52 -------- d-----w- c:\documents and settings\Donna\Application Data\SUPERAntiSpyware.com
2010-05-14 21:57 . 2010-05-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-14 21:47 . 2010-05-14 21:53 343906 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-05-14 21:33 . 2010-04-03 11:30 439816 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Real\Update\setup3.10\setup.exe
2010-05-14 01:38 . 2010-05-14 01:38 -------- d-----w- c:\documents and settings\Donna\Application Data\Malwarebytes
2010-05-14 00:16 . 2010-05-14 00:16 -------- d-----w- c:\documents and settings\Donna\Application Data\Apple Computer
2010-05-14 00:16 . 2010-05-14 00:12 40416 ----a-w- c:\documents and settings\Donna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 00:13 . 2006-11-23 00:19 -------- d-----w- c:\program files\Google
2010-05-14 00:13 . 2010-05-14 00:12 -------- d-----w- c:\documents and settings\Donna\Application Data\ArcSoft
2010-05-14 00:13 . 2010-05-14 00:13 -------- d-----w- c:\documents and settings\Donna\Application Data\Skinux
2010-05-05 22:04 . 2010-01-10 01:22 0 ----a-w- c:\windows\Ysizesux.bin
2010-05-02 05:56 . 2006-06-17 09:23 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 12:06 . 2010-01-10 01:22 120 ----a-w- c:\windows\Qnaxejadazay.dat
2010-04-29 19:39 . 2009-12-24 15:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-24 15:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 15:23 . 2007-02-23 15:57 2816 ----a-w- c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\wklnhst.dat
2010-04-20 05:51 . 2006-06-17 09:23 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 19:11 . 2008-11-04 17:32 36124 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-16 15:20 . 2006-06-17 09:23 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2006-06-17 09:23 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-15 04:28 . 2006-06-19 04:25 40416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-07-07_03.16.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 14:25 . 2010-07-07 14:25 16384 c:\windows\Temp\Perflib_Perfdata_65c.dat
+ 2010-07-07 13:16 . 2010-07-07 13:16 249856 c:\windows\ERDNT\AutoBackup\7-7-2010\Users\00000002\UsrClass.dat
+ 2010-07-07 13:16 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-7-2010\ERDNT.EXE
+ 2010-07-07 13:16 . 2010-07-07 13:16 9551872 c:\windows\ERDNT\AutoBackup\7-7-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
c:\documents and settings\Boss\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk.disabled [2010-7-2 783]
c:\documents and settings\Owner.YOUR-E7D118DC12\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 05:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 05:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 05:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 20:09 57344 ------w- c:\program files\Lexmark X74-X75\lxbbbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2006-11-07 19:49 1121280 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 02:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 02:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SanaSafeConnect]
2007-10-18 23:23 1731096 ----a-r- c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaSafeConnect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 00:22 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-05 23:30 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/2/2010 2:53 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 67656]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaSafeConnectWatcher.exe [10/18/2007 7:23 PM 547352]
R2 sbupdate;SentryBay Update Service;c:\program files\SentryBay\sbupdate.exe [3/8/2009 5:30 PM 41272]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectDriver.sys [10/18/2007 7:24 PM 160280]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectFilter.sys [10/18/2007 7:24 PM 30232]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\Suze Orman\Identity Theft Kit\agent\driver\platform_XP\SafeConnectShim.sys [10/18/2007 7:24 PM 27312]
S2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\Suze Orman\Identity Theft Kit\agent\Bin\SanaAgent.exe [10/18/2007 7:23 PM 5218328]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hughhewitt.townhall.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner.YOUR-E7D118DC12\Application Data\Mozilla\Firefox\Profiles\2rtg5gsv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://hotair.com/
FF - component: c:\program files\SentryBay\PhishLock\ffext\components\plext.dll
FF - component: c:\program files\SentryBay\Secure Browse\toolbar\ffext\components\registrationkey.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 15:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-07-07 16:02:47
ComboFix-quarantined-files.txt 2010-07-07 20:02
ComboFix2.txt 2010-07-07 03:20
Pre-Run: 76,622,987,264 bytes free
Post-Run: 76,602,650,624 bytes free
- - End Of File - - A4B8BEAE3F49FF561C3E372821B3AB04
eaglescout
New member
Not sure...getting a virus alert
Things were running well, and I just got this popup from Windows Security Alert, and this popup:
Also getting popups about virus infections, do I want to scan, and getting a porn popup.
Some programs will not execute (MS Paint, trying to send you a screen shot)...
Was able to delete the file that you wanted deleted, though.
Things were running well, and I just got this popup from Windows Security Alert, and this popup:
Also getting popups about virus infections, do I want to scan, and getting a porn popup.
Some programs will not execute (MS Paint, trying to send you a screen shot)...
Was able to delete the file that you wanted deleted, though.
ken545
Emeritus-Security Expert
Lets check a bit deeper.
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
eaglescout
New member
serious problems
Can't seem to run ANY .exe files. Also, a new icon in taskbar about antivirus software alert. (A green shield, with a white checkmark in it...I know it is bogus)
Can't seem to run ANY .exe files. Also, a new icon in taskbar about antivirus software alert. (A green shield, with a white checkmark in it...I know it is bogus)
ken545
Emeritus-Security Expert
Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)
- There are 4 different versions. If one of them won't run then download and try to run the other one.
- Vista and Win7 users need to right click and choose Run as Admin
- You only need to get one of them to run, not all of them.
- You will know one ran when a box opens up with a report
You have Malwarebytes installed, open it, check for updates and run the quick scan and post the log please
eaglescout
New member
no luck
Downloaded the first 3 and tried to run, but program was terminated, followed by a message saying that the file was infected with a virus...
The fourth program just produced an error 404 on the link.
Downloaded the first 3 and tried to run, but program was terminated, followed by a message saying that the file was infected with a virus...
The fourth program just produced an error 404 on the link.
eaglescout
New member
I do not see an option for MBAM safemode.
Do you mean restart windows in safe mode and run it? I am worried that I may not be able to restart FF, as every .exe file I try to open is terminated by the infection.
Please specify.
Thanks
Do you mean restart windows in safe mode and run it? I am worried that I may not be able to restart FF, as every .exe file I try to open is terminated by the infection.
Please specify.
Thanks
ken545
Emeritus-Security Expert
Yes, restart windows in Safemode and run MBAM
To Enter Safemode
To Enter Safemode
- Go to Start> Shut off your Computer> Restart
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Safemode
- Then press the Enter Key on your Keyboard
eaglescout
New member
Got it...
eaglescout
New member
MBAM complete
MBAM found 9 infections...
Here is the log...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4284
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180
7/7/2010 7:32:48 PM
mbam-log-2010-07-07 (19-32-48).txt
Scan type: Quick scan
Objects scanned: 153472
Time elapsed: 10 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwgrfojd (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\urscmrdno\ecfktcdtssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\6B.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\gxuDmWmzvV.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\VxPoEqQKZG.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\0O9XKPSV\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\CDERGXQ7\setup[2].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\URU9QLGP\setup[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\sortct.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
MBAM found 9 infections...
Here is the log...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4284
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180
7/7/2010 7:32:48 PM
mbam-log-2010-07-07 (19-32-48).txt
Scan type: Quick scan
Objects scanned: 153472
Time elapsed: 10 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwgrfojd (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Application Data\urscmrdno\ecfktcdtssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\6B.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\gxuDmWmzvV.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\temp\VxPoEqQKZG.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\0O9XKPSV\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\CDERGXQ7\setup[2].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-E7D118DC12\Local Settings\Temporary Internet Files\Content.IE5\URU9QLGP\setup[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\sortct.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
ken545
Emeritus-Security Expert
ok, now run TDSSkiller
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
eaglescout
New member
no luck
ken454,
Thanks for all of your help...I think you can close this thread, as I am in the process of reinstalling WinXP.
Last night, after I ran MBAM, it asked to reboot, and when I did, WinXP would reach the logo screen, and then reboot itself, stating that it noticed a problem, possibly a hardware issue, and was shutting down.
After several hours of trying to get winXP to start, I gave up, and decided just to salvage the data, and reinstall.
Again, thanks for all you great help. I'm sticking with my linux box from now on...ha!
ken454,
Thanks for all of your help...I think you can close this thread, as I am in the process of reinstalling WinXP.
Last night, after I ran MBAM, it asked to reboot, and when I did, WinXP would reach the logo screen, and then reboot itself, stating that it noticed a problem, possibly a hardware issue, and was shutting down.
After several hours of trying to get winXP to start, I gave up, and decided just to salvage the data, and reinstall.
Again, thanks for all you great help. I'm sticking with my linux box from now on...ha!
ken545
Emeritus-Security Expert
Well, sometimes a re install is a good option, lets hope this fixes it and its not a hardware issue.
I will keep this thread open for you for a few days, post back and let me know how it went.
If you need help with the format and reinstall let me know and I can link you to a great windows support site that can guide you through it
Ken
I will keep this thread open for you for a few days, post back and let me know how it went.
If you need help with the format and reinstall let me know and I can link you to a great windows support site that can guide you through it
Ken
eaglescout
New member
appreciate it
Although I have done many reinstalls before, please send me the link you refer to...I'm always looking for new tips, help, etc.
Thanks again...
Although I have done many reinstalls before, please send me the link you refer to...I'm always looking for new tips, help, etc.
Thanks again...
ken545
Emeritus-Security Expert
Hi,
You can post here at our sister site, like Safer its free but you will need to register.
http://forums.whatthetech.com/index.php?showforum=119
Good Luck with your reinstall
Ken
You can post here at our sister site, like Safer its free but you will need to register.
http://forums.whatthetech.com/index.php?showforum=119
Good Luck with your reinstall
Ken