1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Random Music / Pop-ups from I.E. (even when not running)

Discussion in 'Malware and Virus Removal Archive' started by wealthymike, 2010/08/07.

Thread Status:
Not open for further replies.
  1. 2010/08/07
    wealthymike

    wealthymike Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    112
    Likes Received:
    0
    [Inactive] Random Music / Pop-ups from I.E. (even when not running)

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Sampson at 9:32:50.34 on Sat 08/07/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.319 [GMT -4:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe 4
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\QUALCOMM\QDLService\QDLService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe 4
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Sampson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Documents and Settings\Sampson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Sampson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Sampson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Sampson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Sampson\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
    uRun: [Google Update] "c:\documents and settings\sampson\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\sampson\startm~1\programs\startup\LNK~1 -
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\sampson\applic~1\mozilla\firefox\profiles\l85e7cm8.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
    FF - plugin: c:\documents and settings\sampson\application data\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\sampson\application data\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\documents and settings\sampson\application data\mozilla\firefox\profiles\l85e7cm8.default\extensions\justintvpublisher@justin.tv\platform\winnt_x86-msvc\plugins\npjustintvpublish.dll
    FF - plugin: c:\documents and settings\sampson\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\sampson\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\sampson\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\google updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2008-11-10 345336]
    S2 CrossLoopService;CrossLoop Service;c:\documents and settings\sampson\local settings\application data\crossloop\CrossLoopService.exe [2010-2-22 560792]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 135664]
    S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-20 30192]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-4-8 16968]
    S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-8 96856]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-8 38224]
    S3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [2009-7-24 5248]
    S3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [2009-7-24 115200]
    S3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2009-2-17 103680]
    S3 uvnc_service;uvnc_service;c:\documents and settings\sampson\local settings\application data\crossloop\winvnc.exe [2010-2-22 1590216]

    =============== Created Last 30 ================

    2010-07-28 03:40:38 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2010-07-25 21:53:49 0 d-----w- c:\program files\WebCam
    2010-07-16 02:47:42 0 d-----w- c:\program files\Windows Media Connect 2

    ==================== Find3M ====================

    2010-08-03 07:21:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
    2009-01-20 18:25:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2009-07-24 08:04:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072420090725\index.dat

    ============= FINISH: 9:34:00.34 ===============
     
    wealthymike,
    #1
  2. 2010/08/07
    crunchie

    crunchie Inactive

    Joined:
    2010/01/12
    Messages:
    982
    Likes Received:
    5
    You realise that we never finished your last thread? http://www.windowsbbs.com/malware-virus-removal/93607-active-strange-malware.html

    ==========

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
    crunchie,
    #2


  3. to hide this advert.

  4. 2010/08/07
    wealthymike

    wealthymike Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    112
    Likes Received:
    0
    ComboFix 10-08-06.03 - Sampson 08/07/2010 10:10:50.7.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.593 [GMT -4:00]
    Running from: c:\documents and settings\Sampson\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
    c:\documents and settings\Sampson\pev.exe
    c:\documents and settings\Sampson\Start Menu\Programs\Startup\.lnk
    c:\documents and settings\Sampson\Start Menu\Programs\Uninstall.lnk

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
    .

    2010-07-28 03:40 . 2010-07-28 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-07-25 21:53 . 2010-07-26 05:11 -------- d-----w- c:\program files\WebCam
    2010-07-16 04:59 . 2008-04-14 20:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    2010-07-16 02:47 . 2010-07-16 02:47 -------- d-----w- c:\program files\Windows Media Connect 2
    2010-07-16 02:45 . 2010-07-16 02:46 -------- d-----w- c:\windows\system32\drivers\UMDF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 07:21 . 2010-04-08 17:30 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-08-03 07:16 . 2009-08-02 07:15 -------- d-----w- c:\documents and settings\Sampson\Application Data\uTorrent
    2010-07-05 18:28 . 2009-01-20 18:45 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-29 11:20 . 2010-01-09 20:41 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-06-16 06:00 . 2009-08-02 07:15 -------- d-----w- c:\program files\uTorrent
    2010-06-14 14:31 . 2008-04-14 20:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
    2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
    2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
    2010-06-09 07:41 . 2010-05-29 06:17 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-09 07:22 . 2009-01-20 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-01 17:37 . 2010-01-09 20:43 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-11 07:03 . 2010-03-05 20:50 256 ----a-w- c:\windows\system32\pool.bin
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 68856]
    "Google Update "= "c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-16 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "BlackBerryAutoUpdate "= "c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
    "HitmanPro35 "= "c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-03 6257984]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
    Alaunch [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2008-06-19 23:20 57344 ----a-w- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
    2008-10-03 19:18 294544 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
    2008-09-04 05:46 425984 ----a-w- c:\acer\Empowering Technology\eRecovery\eRAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2009-01-20 19:22 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-09-16 16:05 133104 ----atw- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2008-04-14 20:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2008-12-03 06:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2008-04-14 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-12-30 21:58 18082304 ----a-w- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-12-09 20:50 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-07-24 08:14 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-04-25 16:32 1044480 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll "=
    "c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5910:TCP "= 5910:TCP:vnc5910

    R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [2/22/2010 10:11 AM 560792]
    R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/10/2008 2:43 AM 345336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 4:55 AM 135664]
    S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 3:22 PM 30192]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/8/2010 1:30 PM 16968]
    S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [7/8/2008 1:16 PM 96856]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/8/2010 8:17 AM 38224]
    S3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [7/24/2009 4:08 AM 5248]
    S3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [7/24/2009 4:08 AM 115200]
    S3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2/17/2009 12:42 AM 103680]
    S3 uvnc_service;uvnc_service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\winvnc.exe [2/22/2010 10:11 AM 1590216]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-07 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-24 15:43]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 08:55]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 08:55]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006Core.job
    - c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006UA.job
    - c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

    2010-08-07 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
    FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
    FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-07 10:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-08-07 10:28:52
    ComboFix-quarantined-files.txt 2010-08-07 14:28

    Pre-Run: 124,642,041,856 bytes free
    Post-Run: 125,613,289,472 bytes free

    - - End Of File - - BB0D7952496A0F1E20866F7602AF1E17
     
    wealthymike,
    #3
  5. 2010/08/07
    crunchie

    crunchie Inactive

    Joined:
    2010/01/12
    Messages:
    982
    Likes Received:
    5
    crunchie,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...