Computer hijacked

View previous topic View next topic Go down

Re: Computer hijacked

Post by Belahzur on 20th April 2010, 9:58 pm

Okay, good work so far, we need to make sure this stays dead, so please re-run Combofix and get an updated log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 21st April 2010, 12:02 am

Okay i ran Combofix it put text in log, I copied it then my computer froze. I had to manually reboot computer and the log was lost. I cant see that it automatically saved anywhere /sigh

It did remove some things, I saw that but what they were I have no idea. What should I do now?

Sorry to be such a pain

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 21st April 2010, 12:49 am

Try running it again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 21st April 2010, 3:57 am

As requested


ComboFix 10-04-19.08 - User 04/20/2010 23:36:50.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2690 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 21:18 . 2010-04-17 21:18 4 ----a-w- c:\program files\42156.dat
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-21 03:30 -------- d-----w- C:\geek police stuff
2010-04-17 01:31 . 2010-04-17 01:31 4 ----a-w- c:\program files\6413406.dat
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 23:25 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-14 23:25 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-14 23:25 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-14 23:25 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:51 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 00:51 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 13:18 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Adobe\Adobe Bridge CS4\bridge .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\Windows Defender\msascui .exe
</pre>

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 23:11 . 2010-04-20 23:11 16384 c:\windows\Temp\Perflib_Perfdata_904.dat
+ 2010-04-18 00:06 . 2010-01-09 20:22 12112 c:\windows\system32\drivers\aswNdis.sys
- 2009-10-26 04:12 . 2010-03-19 20:24 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Distiller.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 25214 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Distiller.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 36294 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat_Standard.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 38926 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat_3D.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 38926 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_Acrobat.exe
- 2009-10-26 04:12 . 2010-03-19 20:24 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_ELEMENTS_DT.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 7278 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\_SC_ELEMENTS_DT.exe
- 2009-10-26 04:12 . 2010-03-19 20:24 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2009-10-26 04:12 . 2010-04-19 16:08 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [N/A]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-20 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1312)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-20 23:56:11
ComboFix-quarantined-files.txt 2010-04-21 03:56
ComboFix2.txt 2010-04-20 23:06

Pre-Run: 101,749,780,480 bytes free
Post-Run: 101,714,477,056 bytes free

- - End Of File - - 36526A93ED6DAA697F335C571DC0CD05

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 21st April 2010, 3:58 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\program files\42156.dat
    c:\program files\6413406.dat

    RenV::
    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
    c:\program files\Adobe\Adobe Bridge CS4\bridge .exe
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\QuickTime\qttask                  .exe
    c:\program files\Windows Defender\msascui .exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 21st April 2010, 7:06 pm

As requested and is there anyway u can tell me if i missed copy and pasting these code lines?
c:\program files\QuickTime\qttask .exe
c:\program files\Windows Defender\msascui .exe

I am not sure I included them because I didn't see them till after I started everything


ComboFix 10-04-21.01 - User 04/21/2010 14:39:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2422 [GMT -4]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\42156.dat"
"c:\program files\6413406.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\42156.dat
c:\program files\6413406.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-21 18:39 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-21 15:04:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 19:04
ComboFix2.txt 2010-04-21 18:29
ComboFix3.txt 2010-04-21 03:56
ComboFix4.txt 2010-04-20 23:06

Pre-Run: 101,713,883,136 bytes free
Post-Run: 101,771,997,184 bytes free

- - End Of File - - C6031105B101C1BC418D08DC71DA4AE5

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 21st April 2010, 9:19 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    RenV::
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 22nd April 2010, 5:08 am

ComboFix 10-04-21.01 - User 04/22/2010 0:35.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2628 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-21 19:12 . 2010-04-21 19:12 -------- d-----w- C:\Combo-Fix29733C
2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-22 04:34 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.
Code:
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-22 00:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-22 01:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 05:06
ComboFix2.txt 2010-04-21 19:46
ComboFix3.txt 2010-04-21 19:04
ComboFix4.txt 2010-04-21 18:29
ComboFix5.txt 2010-04-22 04:29

Pre-Run: 101,790,699,520 bytes free
Post-Run: 101,805,592,576 bytes free

- - End Of File - - C9F6AA75F0219AFF2304430018BFBB6C

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 22nd April 2010, 6:16 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 22nd April 2010, 6:19 pm

========== FILES ==========
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe moved successfully.

OTM by OldTimer - Version 3.1.10.2 log created on 04222010_141844

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 22nd April 2010, 6:40 pm

Okay, now locate this file:

c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

Remove the space between the M and the .


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 22nd April 2010, 8:07 pm

Okay I see it in my system, do u mean just rename it by removing the space between the M and the . ?

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 23rd April 2010, 12:21 am

Yes, there is an extra space there, so remove it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 23rd April 2010, 12:51 am

done as requested

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 23rd April 2010, 12:56 am

Okay, next.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 23rd April 2010, 3:47 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 06:57:18
# local_time=2010-04-23 02:57:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22017837 22017837 0 0
# compatibility_mode=768 16777191 100 0 1319302 1319302 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298363
# found=1
# cleaned=1
# scan_time=8827
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DSW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 12:30:53
# local_time=2010-04-23 08:30:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22031417 22031417 0 0
# compatibility_mode=768 16777191 100 0 1336482 1336482 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298369
# found=0
# cleaned=0
# scan_time=15262

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer hijacked

Post by Belahzur on 23rd April 2010, 3:57 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer hijacked

Post by AngelsElf on 26th April 2010, 10:09 pm

Thank you so much my computer seems to be working just fine thanks to you guys.

You guys rock Hooray!

AngelsElf
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2008-12-07
OS OS : Windows XP
Points Points : 30377
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum