Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.213 [GMT 13:00]
Running from: c:\documents and settings\Exterminator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
The following files were disabled during the run:
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\qvxoob.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\hcontrol .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\nerocheck .exe
c:\windows\system32\syncman .exe
c:\windows\system32\SyncMan.exe
.
---- Previous Run -------
.
c:\documents and settings\Exterminator\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\Exterminator\Local Settings\Application Data\Windows Server
c:\documents and settings\Exterminator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Exterminator\Local Settings\Application Data\Windows Server\qvxoob.dll
c:\documents and settings\Exterminator\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Exterminator\rundll32.exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\syncman .exe
c:\documents and settings\Exterminator\SyncMan.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\qvxoob.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\qvxoob.dll.vir
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\qvxoob.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\qvxoob.dll.vir
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\recycler\S-1-5-21-8931369950-7373423170-792383272-1749
c:\windows\bhihuc .exe
c:\windows\hcontrol .exe
c:\windows\patch.exe
c:\windows\system32\cd_clint.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\nerocheck .exe
c:\windows\system32\reboot.txt
c:\windows\system32\regedit .exe
c:\windows\system32\regedit.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\sshnas21.dll
c:\windows\system32\syncman .exe
c:\windows\system32\syncman .exe
c:\windows\system32\SyncMan.exe
c:\windows\system32\Thumbs.db
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
-- Previous Run --
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
--------
Infected copy of c:\windows\PCHealth\HelpCtr\Binaries\msconfig.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msconfig.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.
2010-03-28 22:05 . 2008-04-13 17:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-22 00:01 . 2010-03-22 00:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-22 00:01 . 2010-03-22 00:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-21 22:54 . 2010-03-21 22:54 -------- d-----w- c:\program files\TrendMicro
2010-03-21 22:33 . 2010-03-21 22:33 -------- d-----w- C:\_OTM
2010-03-17 08:20 . 2010-03-17 08:20 -------- d-----w- C:\rsit
2010-03-17 07:35 . 2010-03-17 07:35 -------- d-----w- c:\documents and settings\Exterminator\Application Data\Malwarebytes
2010-03-17 07:35 . 2010-01-07 03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 07:35 . 2010-03-17 07:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 07:35 . 2010-03-17 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 07:35 . 2010-01-07 03:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 00:15 . 2010-03-28 23:57 40448 ----a-w- c:\windows\hcontrol.exe
2010-03-10 21:52 . 2010-03-10 21:41 149504 ----a-w- c:\windows\Bhihub.exe
2010-03-10 21:51 . 2010-03-10 21:51 -------- d-----w- C:\FOUND.002
2010-03-10 21:40 . 2010-03-10 21:40 98208 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-03-10 21:38 . 2010-03-10 21:38 149504 ----a-w- c:\windows\Bhihua.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 00:10 . 2010-03-29 00:10 40448 ----a-w- c:\windows\system32\syncman.exe
2010-03-29 00:10 . 2006-02-06 19:40 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-29 00:10 . 2003-06-04 03:53 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-29 00:10 . 2003-06-04 03:53 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-29 00:10 . 2010-03-29 00:10 40448 ----a-w- c:\documents and settings\Exterminator\syncman.exe
2010-03-28 23:58 . 2004-01-02 03:16 1218008 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
2010-03-28 23:58 . 2006-02-06 19:40 1218008 ----a-w- c:\windows\system32\igfxpers .exe
2010-03-28 23:58 . 2003-06-04 03:53 1218008 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-28 23:58 . 2003-06-04 03:53 1218008 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-28 23:57 . 2010-03-11 00:15 40448 ----a-w- c:\windows\hcontrol .exe
2010-03-28 23:57 . 2001-07-09 10:50 40448 ----a-w- c:\windows\system32\nerocheck.exe
2010-03-21 22:55 . 2010-03-21 22:55 388096 ----a-r- c:\documents and settings\Exterminator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-21 22:50 . 2004-01-02 03:16 155648 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
2010-02-25 03:31 . 2010-02-25 03:31 -------- d-----w- c:\program files\MSECache
2010-02-16 07:32 . 2010-02-16 07:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 07:31 . 2010-02-16 07:31 152576 ----a-w- c:\documents and settings\Exterminator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-16 07:27 . 2010-02-16 07:27 79488 ----a-w- c:\documents and settings\Exterminator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-02 03:02 . 2010-02-02 03:02 -------- d-----w- c:\documents and settings\Exterminator\Application Data\Thunderbird
2010-02-02 03:01 . 2010-02-02 03:01 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-02 03:00 . 2010-02-02 03:00 0 ----a-w- c:\windows\nsreg.dat
2010-01-10 18:29 . 2010-01-10 18:29 985288 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\msc\mcappcfg.exe
2010-01-10 18:29 . 2010-01-10 18:29 985288 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\mhn\mcappcfg.exe
2010-01-10 18:29 . 2010-01-10 18:29 265824 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\msc\mcutil.dll
2010-01-10 18:29 . 2010-01-10 18:29 265824 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\mhn\mcutil.dll
2010-01-10 18:14 . 2010-01-10 18:14 822048 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\msc\McInst.exe
2010-01-10 18:14 . 2010-01-10 18:14 822048 ------w- c:\documents and settings\All Users\Application Data\McAfee\MSC\Updates\Downloads\6973\Download_Files\mhn\McInst.exe
2007-06-13 00:53 . 2007-06-13 00:53 1207026 ----a-w- c:\program files\wrar370.exe
.
- Code: Select all
<pre>
c:\program files\Asus\Power4 Gear\batterylife .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\McAfee\MHN\mcenui .exe
c:\windows\hcontrol .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SyncMan"="c:\documents and settings\Exterminator\SyncMan.exe" [2010-03-29 40448]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2010-03-28 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-29 40448]
"Hcontrol"="c:\windows\Hcontrol.exe" [2010-03-29 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-03-29 40448]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-03-29 40448]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2010-03-29 40448]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2010-03-29 40448]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-29 40448]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2010-03-29 40448]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2010-03-29 40448]
"SyncMan"="c:\windows\system32\SyncMan.exe" [2010-03-29 40448]
c:\documents and settings\Exterminator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=rddv1027.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Messenger (2).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Messenger (2).lnk
backup=c:\windows\pss\Windows Messenger (2).lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SyncMan]
2010-03-29 00:10 40448 ----a-w- c:\windows\system32\syncman.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\qvxoob.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/07/2009 12:52 p.m. 721904]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [16/09/2009 11:05 a.m. 93320]
S0 uyimw;uyimw; [x]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\DRIVERS\ipw_mdfl.sys --> c:\windows\system32\DRIVERS\ipw_mdfl.sys [?]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\DRIVERS\ipw_mdm.sys --> c:\windows\system32\DRIVERS\ipw_mdm.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-03-29 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2009-09-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-15 23:22]
2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-15 23:22]
2010-03-29 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
2010-03-29 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-29 00:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com.tw
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {9C5CE617-5183-4117-B2F1-DFBE38A8F300} = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Exterminator\Application Data\Mozilla\Firefox\Profiles\iw9dmqbw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 13:09
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys speh.sys >>UNKNOWN [0x82FCB938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85a5f28
\Driver\ACPI -> ACPI.sys @ 0xf83dfcb8
\Driver\atapi -> atapi.sys @ 0xf8356b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf82c8bb0
PacketIndicateHandler -> NDIS.sys @ 0xf82d5a21
SendHandler -> NDIS.sys @ 0xf82b387b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(496)
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\qvxoob.dll
- - - - - - - > 'lsass.exe'(556)
c:\windows\system32\rddv1027.dll
- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\System32\NeroCheck.exe
c:\program files\java\jre6\bin\jusched .exe
.
**************************************************************************
.
Completion time: 2010-03-29 13:13:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 00:13
Pre-Run: 44,780,322,816 bytes free
Post-Run: 44,749,488,128 bytes free
- - End Of File - - AC4D02923AE3C31A4B60403E80848479
News
Site map
SitemapIndex
RSS Feed