nasty virus blocking me from using internet explorer and firefox, among others.

Started by thedaniel, April 29, 2010, 03:15:42 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Corrine

#15
May 02, 2010, 02:54:33 PM
Hi, thedaniel.

It appears you ran ComboFix twice.  I'd like to see ComboFix3.txt  2010-05-01 03:28.  In addition, please do the requested ESET on-line scan and post the results.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

thedaniel

#16
May 02, 2010, 07:08:34 PM
Sorry! i couldn't save that first log for some reason. It wouldn't show up on my desktop and every time i tried to open up a program (i.e. notepad) it said something about an error. I had to restart the computer, and everything worked fine, so i ran it again. When the log came up, i saved it under a different name on my desktop, restarted the computer then uploaded the log.

also, this is what came up in the log.txt in the ESET Online Scanner folder:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

so just to be sure, before closing the ESET window, i exported the list of found threats:

C:\Program Files\Active iPod Video Converter\contextmenu.dll   probably a variant of Win32/Agent trojan
C:\ProgramData\litikusi\litikusi.exe   a variant of Win32/Injector.BCP trojan
C:\ProgramData\wepejapu\wepejapu.exe   multiple threats
C:\ProgramData\yidurufo\yidurufo.exe   a variant of Win32/Olmarik.YG trojan
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe.vir   a variant of Win32/Adware.PCProtector.B application
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe.vir   a variant of Win32/Kryptik.EAA trojan
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp.vir   a variant of Win32/Bamital.AY trojan
C:\Users\All Users\litikusi\litikusi.exe   a variant of Win32/Injector.BCP trojan
C:\Users\All Users\wepejapu\wepejapu.exe   multiple threats
C:\Users\All Users\yidurufo\yidurufo.exe   a variant of Win32/Olmarik.YG trojan
C:\Users\Daniel\AppData\Local\VirtualStore\Windows\System32\net.net   a variant of Win32/TrojanClicker.Punad.AA trojan
C:\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1a332904-4c91b218   Java/TrojanDownloader.Agent.AF trojan
C:\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5dbaeb34-7c7e7aaf   multiple threats
Z:\MP3\New\_\Driver Cleaner Professional Edition 1.4.rar   Win32/IRCBot.SH trojan

Clark76

#17
May 03, 2010, 10:58:03 AM
Hold down the Windows Key anf the "R" key.  A run box will appear.  Copy and paste the following:
C:\Qoobox\ComboFix3.txt then click OK
Notepad will open with a log.  Post the contents of that log in your next reply.
Proud Member of ASAP
Proud Member of UNITE

thedaniel

#18
May 03, 2010, 08:55:43 PM
ComboFix 10-04-29.05 - Daniel 04/30/2010  23:24:34.2.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.3325.2255 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\users\Daniel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

{Snip}
.
Completion time: 2010-04-30  23:28:57
ComboFix-quarantined-files.txt  2010-05-01 03:28
ComboFix2.txt  2010-04-30 14:24

Pre-Run: 15,867,920,384 bytes free
Post-Run: 15,739,711,488 bytes free

- - End Of File - - 886AD11F8CF9590E1FAF191DE2FBCD91

~~~~~~~~~~~~~~~~~~~

Edit Note:  Log removed to avoid confusion.  That was the same log as posted here:  http://www.landzdown.com/index.php?topic=42560.msg127367#msg127367

Corrine

Corrine

#19
May 03, 2010, 09:31:36 PM
Hi, thedaniel.  We're looking for the log that was run on May 1, 2010.  It should be identified as Combofix3.txt.  Please check C:\Qoobox again for a log with the time/date stamp of 2010-05-01 03:28.

If it isn't there, we'll move on to take care of what was in the ESET log.

Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

thedaniel

#20
May 04, 2010, 05:02:21 AM
Hi!

ComboFix3.txt shows the log date as 4/30/10. I believe you are referring to the first attempt, which did not allow me to save the log file. I was unable to open up any programs until i restarted the computer (it kept telling me ERROR, and all i could do was hit OK). I ran it again afterwards and was able to save the log file. I did not do anything between the 2 scans (if there is a large gap of time between scans and replies, its because i work odd hours).

Here is ComboFix3.txt located in the exact folder i've been directed toward:

ComboFix 10-04-29.05 - Daniel 04/30/2010  23:24:34.2.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.3325.2255 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\users\Daniel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\fiponedo"
"c:\programdata\fosepoyo"
"c:\programdata\litikusi"
"c:\programdata\loraleka"
"c:\programdata\wajejofu"
"c:\programdata\wepejapu"
"c:\programdata\yidurufo"
"c:\users\Daniel\AppData\Local\bdqmptyll"
"c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro"
"c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
"c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325"
"c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe

.
(((((((((((((((((((((((((   Files Created from 2010-04-01 to 2010-05-01  )))))))))))))))))))))))))))))))
.

2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Local\temp
2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-05-01 03:27 . 2010-05-01 03:27   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-29 21:03 . 2010-04-29 21:03   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:46   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:45   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-29 02:57 . 2010-04-30 01:03   --------   d-----w-   c:\program files\trend micro
2010-04-29 02:57 . 2010-04-29 02:57   --------   d-----w-   C:\rsit
2010-04-29 02:55 . 2010-04-29 02:55   --------   d-----w-   c:\program files\ERUNT
2010-04-28 22:17 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\fosepoyo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\yidurufo
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\wepejapu
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\litikusi
2010-04-28 22:11 . 2010-04-29 21:20   --------   d-----w-   c:\users\Daniel\AppData\Local\bdqmptyll
2010-04-28 22:10 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 22:10 . 2010-04-29 21:20   --------   d-----w-   c:\programdata\fiponedo
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\wajejofu
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\loraleka
2010-04-13 01:34 . 2010-04-13 01:40   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Armagetron
2010-04-13 01:34 . 2010-04-13 01:34   --------   d-----w-   c:\programdata\Armagetron
2010-04-05 03:20 . 2009-09-03 01:58   626688   ----a-w-   c:\windows\system32\vp7vfw.dll
2010-04-05 03:20 . 2009-09-03 01:58   65602   ----a-w-   c:\windows\system32\cook3260.dll
2010-04-05 03:20 . 2009-09-03 01:58   217127   ----a-w-   c:\windows\system32\drv43260.dll
2010-04-05 03:20 . 2009-09-03 01:58   208935   ----a-w-   c:\windows\system32\drv33260.dll
2010-04-05 03:20 . 2009-09-03 01:58   176165   ----a-w-   c:\windows\system32\drv23260.dll
2010-04-05 03:20 . 2009-09-03 01:58   102439   ----a-w-   c:\windows\system32\sipr3260.dll
2010-04-05 03:20 . 2009-09-03 01:57   1184984   ----a-w-   c:\windows\system32\wvc1dmod.dll
2010-04-05 03:20 . 2010-04-05 03:20   --------   d-----w-   c:\program files\VSO

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:24 . 2008-12-19 18:08   --------   d-----w-   c:\users\Daniel\AppData\Roaming\DNA
2010-04-30 18:23 . 2008-12-19 01:16   --------   d-----w-   c:\programdata\Roxio
2010-04-30 17:00 . 2008-12-19 02:11   --------   d-----w-   c:\users\Daniel\AppData\Roaming\foobar2000
2010-04-28 22:11 . 2008-12-19 18:09   --------   d-----w-   c:\users\Daniel\AppData\Roaming\BitTorrent
2010-04-20 01:03 . 2009-01-13 06:22   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Vso
2010-04-06 12:35 . 2008-12-19 01:42   680   ----a-w-   c:\users\Daniel\AppData\Local\d3d9caps.dat
2010-03-26 09:20 . 2009-06-25 11:07   --------   d-----w-   c:\users\Daniel\AppData\Roaming\vlc
2010-03-26 09:20 . 2008-12-19 04:24   --------   d-----w-   c:\programdata\FLEXnet
2010-03-25 05:20 . 2008-12-19 02:26   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Publish Providers
2010-03-16 01:56 . 2010-03-16 01:56   1080   ----a-w-   c:\windows\AUTOLNCH.REG
2010-03-16 01:56 . 2010-03-16 01:56   --------   d-----w-   c:\program files\Hewlett-Packard
2010-03-03 18:42 . 2009-03-24 21:04   --------   d-----w-   c:\users\Daniel\AppData\Roaming\dvdcss
2010-02-28 18:00 . 2010-02-28 18:00   50354   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-26 06:41 . 2010-02-26 06:41   847040   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 14:16 . 2009-10-06 05:43   181632   ------w-   c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Daniel\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\System32\Wtablet\TabUserW.exe [2003-5-29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\users\Daniel\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 23:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

dØÒß Ã~dØÓß6É_ [-1210555390] 0x006D006F
dØÒß Ã~dØÓß6É_ [-1210555390] 0x0061004E
  • 0x001ED800

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-30  23:28:57
    ComboFix-quarantined-files.txt  2010-05-01 03:28
    ComboFix2.txt  2010-04-30 14:24

    Pre-Run: 15,867,920,384 bytes free
    Post-Run: 15,739,711,488 bytes free

    - - End Of File - - 886AD11F8CF9590E1FAF191DE2FBCD91

Corrine

#21
May 04, 2010, 10:42:10 PM
Thank you for trying, thedaniel.  That was still an older run.  However, its time to move on.  We will need to check a couple of the findings from the ESET scan.  First, however, let's see if we can eliminate the other items that were in the scan.

1)  Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select
Folder::
C:\ProgramData\litikusi
C:\ProgramData\wepejapu
C:\ProgramData\yidurufo
C:\Users\All Users\litikusi
C:\Users\All Users\wepejapu
C:\Users\All Users\yidurufo

File::
C:\Users\Daniel\AppData\Local\VirtualStore\Windows\System32\net.net
C:\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1a332904-4c91b218
C:\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5dbaeb34-7c7e7aaf


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2)  Now about the the two programs ESET questioned.  If you did not download them from the vendor website, I suggest you uninstall both:

C:\Program Files\Active iPod Video Converter
Z:\MP3\New\_\Driver Cleaner Professional Edition 1.4.rar

3)  Download CKScanner from here

Important : Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
4)  Please do an on-line scan.  Establish an internet connection and perform an on-line scan with Internet Explorer at Kaspersky Online Scanner

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal. 

Note:


  • This scan is best done from IE (Internet Explorer)
  • Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here: http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html


  • Read the Requirements and limitations before you click Accept.
  • Once the database has downloaded, click My Computer in the left pane
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Note: To optimize scanning time and produce a more sensible report for review:


  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Logs Required

ComboFix.txt
CKFiles.txt
Kaspersky Scan Log




Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

thedaniel

#22
May 05, 2010, 12:13:47 PM
CKScanner log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\users\daniel\favorites\5 real life soldiers who make rambo look like a pussy   cracked.com.url
scanner sequence 3.ZZ.11
----- EOF -----


Kaspersky scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 5, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 05, 2010 02:37:35
Records in database: 4051733
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   Z:\

Scan statistics:
   Objects scanned: 216405
   Threats found: 12
   Infected objects found: 14
   Suspicious objects found: 0
   Scan duration: 02:16:35


File name / Threat / Threats count
C:\ProgramData\loraleka\loraleka.dll   Infected: Packed.Win32.Katusha.j   1
C:\ProgramData\wajejofu\wajejofu.dll   Infected: Packed.Win32.Katusha.j   1
C:\Qoobox\Quarantine\C\ProgramData\litikusi\litikusi.exe.vir   Infected: P2P-Worm.Win32.Agent.acz   1
C:\Qoobox\Quarantine\C\ProgramData\wepejapu\wepejapu.exe.vir   Infected: Trojan.Win32.Shutdowner.ehz   1
C:\Qoobox\Quarantine\C\ProgramData\yidurufo\yidurufo.exe.vir   Infected: Trojan-Dropper.Win32.TDSS.lu   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Local\syssvc.exe.vir   Infected: Trojan.Win32.FraudPack.augq   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Local\VirtualStore\Windows\System32\net.net.vir   Infected: Trojan-Clicker.Win32.VBiframe.car   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1a332904-4c91b218.vir   Infected: Trojan-Downloader.Java.Agent.af   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5dbaeb34-7c7e7aaf.vir   Infected: Trojan-Downloader.Java.OpenStream.af   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe.vir   Infected: Trojan.Win32.Agent2.cqvb   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325\newupdate1142C.exe.vir   Infected: Trojan.Win32.FraudPack.atwa   1
C:\Qoobox\Quarantine\C\Users\Daniel\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp.vir   Infected: Trojan-Dropper.Win32.Drooptroop.anx   1
C:\Users\All Users\loraleka\loraleka.dll   Infected: Packed.Win32.Katusha.j   1
C:\Users\All Users\wajejofu\wajejofu.dll   Infected: Packed.Win32.Katusha.j   1

Selected area has been scanned.

thedaniel

#23
May 05, 2010, 12:16:16 PM
Combofix log

ComboFix 10-04-29.05 - Daniel 05/04/2010  23:44:36.5.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.3325.2546 [GMT -4:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\users\Daniel\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Daniel\AppData\Local\VirtualStore\Windows\System32\net.net"
"c:\users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1a332904-4c91b218"
"c:\users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5dbaeb34-7c7e7aaf"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\litikusi
c:\programdata\litikusi\litikusi.exe
c:\programdata\wepejapu
c:\programdata\wepejapu\wepejapu.exe
c:\programdata\yidurufo
c:\programdata\yidurufo\yidurufo.exe
c:\users\All Users\litikusi\litikusi.exe
c:\users\All Users\wepejapu\wepejapu.exe
c:\users\All Users\yidurufo\yidurufo.exe
c:\users\Daniel\AppData\Local\VirtualStore\Windows\System32\net.net
c:\users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1a332904-4c91b218
c:\users\Daniel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5dbaeb34-7c7e7aaf

.
(((((((((((((((((((((((((   Files Created from 2010-04-05 to 2010-05-05  )))))))))))))))))))))))))))))))
.

2010-05-05 03:48 . 2010-05-05 03:49   --------   d-----w-   c:\users\Daniel\AppData\Local\temp
2010-05-05 03:48 . 2010-05-05 03:48   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-05-05 03:48 . 2010-05-05 03:48   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-05-02 06:19 . 2010-05-02 06:19   --------   d-----w-   c:\program files\ESET
2010-05-01 03:44 . 2010-05-01 03:44   --------   d-----w-   c:\program files\Fostex
2010-04-29 21:03 . 2010-04-29 21:03   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:46   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:02 . 2010-04-29 21:02   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-29 21:02 . 2010-03-30 04:45   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-29 02:57 . 2010-04-30 01:03   --------   d-----w-   c:\program files\trend micro
2010-04-29 02:57 . 2010-04-29 02:57   --------   d-----w-   C:\rsit
2010-04-29 02:55 . 2010-04-29 02:55   --------   d-----w-   c:\program files\ERUNT
2010-04-28 22:17 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\AKM Antivirus 2010 Pro
2010-04-28 22:17 . 2010-04-28 22:17   --------   d-----w-   c:\programdata\fosepoyo
2010-04-28 22:11 . 2010-04-29 21:20   --------   d-----w-   c:\users\Daniel\AppData\Local\bdqmptyll
2010-04-28 22:10 . 2010-05-01 03:27   --------   d-----w-   c:\users\Daniel\AppData\Roaming\FBFEA05627B8A5365FE1FFE8C4B1E325
2010-04-28 22:10 . 2010-04-29 21:20   --------   d-----w-   c:\programdata\fiponedo
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\wajejofu
2010-04-28 22:10 . 2010-04-28 22:10   --------   d-----w-   c:\programdata\loraleka
2010-04-13 01:34 . 2010-04-13 01:40   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Armagetron
2010-04-13 01:34 . 2010-04-13 01:34   --------   d-----w-   c:\programdata\Armagetron

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 03:49 . 2008-12-19 18:08   --------   d-----w-   c:\users\Daniel\AppData\Roaming\DNA
2010-05-05 03:34 . 2008-12-19 18:09   --------   d-----w-   c:\users\Daniel\AppData\Roaming\BitTorrent
2010-05-05 02:54 . 2008-12-19 02:11   --------   d-----w-   c:\users\Daniel\AppData\Roaming\foobar2000
2010-05-03 04:35 . 2008-12-19 01:16   --------   d-----w-   c:\programdata\Roxio
2010-05-03 03:07 . 2009-01-13 06:22   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Vso
2010-04-06 12:35 . 2008-12-19 01:42   680   ----a-w-   c:\users\Daniel\AppData\Local\d3d9caps.dat
2010-04-05 03:20 . 2010-04-05 03:20   --------   d-----w-   c:\program files\VSO
2010-03-26 09:20 . 2009-06-25 11:07   --------   d-----w-   c:\users\Daniel\AppData\Roaming\vlc
2010-03-26 09:20 . 2008-12-19 04:24   --------   d-----w-   c:\programdata\FLEXnet
2010-03-25 05:20 . 2008-12-19 02:26   --------   d-----w-   c:\users\Daniel\AppData\Roaming\Publish Providers
2010-03-16 01:56 . 2010-03-16 01:56   1080   ----a-w-   c:\windows\AUTOLNCH.REG
2010-03-16 01:56 . 2010-03-16 01:56   --------   d-----w-   c:\program files\Hewlett-Packard
2010-02-28 18:00 . 2010-02-28 18:00   50354   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-26 06:41 . 2010-02-26 06:41   847040   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41   5582848   ----a-w-   c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 14:16 . 2009-10-06 05:43   181632   ------w-   c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((   SnapShot@2010-04-30_14.23.10   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-05-04 20:30   33810              c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-05-04 20:30   59038              c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-19 01:41 . 2010-04-30 14:12   16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 01:41 . 2010-05-05 02:57   16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-19 01:41 . 2010-04-30 14:12   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 01:41 . 2010-05-05 02:57   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 01:41 . 2010-05-05 02:57   16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-19 01:41 . 2010-04-30 14:12   16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-19 01:12 . 2010-05-04 20:30   7058              c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2629204746-2472350728-1553552098-1000_UserData.bin
+ 2010-05-04 20:28 . 2010-05-04 20:28   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-30 14:12 . 2010-04-30 14:12   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-30 14:12 . 2010-04-30 14:12   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-04 20:28 . 2010-05-04 20:28   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-05-05 03:36   595446              c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-04-30 14:18   595446              c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-05 03:36   101144              c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-04-30 14:18   101144              c:\windows\System32\perfc009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Daniel\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\System32\Wtablet\TabUserW.exe [2003-5-29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]
R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]
R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\z0708kj1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\users\Daniel\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 23:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

  • 0x000000C8

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-05-04  23:50:33
    ComboFix-quarantined-files.txt  2010-05-05 03:50
    ComboFix2.txt  2010-05-02 06:12
    ComboFix3.txt  2010-05-02 06:00
    ComboFix4.txt  2010-05-01 03:28
    ComboFix5.txt  2010-05-05 03:43

    Pre-Run: 24,635,899,904 bytes free
    Post-Run: 24,607,076,352 bytes free

    - - End Of File - - B7D5FCA07D9FDBBAE1AFBED8602A3CD1

Corrine

#24
May 05, 2010, 01:38:09 PM
Hi, thedaniel.

Did you run Kaspersky prior to ComboFix?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

thedaniel

#25
May 05, 2010, 08:21:37 PM
No. I followed the order of programs as instructed. I apologize, i posted the logs out of order.  :(

Corrine

#26
May 05, 2010, 10:39:32 PM
Thank you, thedaniel.  With closer examination, I can now see that the names are different from what had already been removed.  I also came up with a different description when searching this time and need to advise you that it was described as a dropper trojan.  Essentially what that means is that the dropper installs a backdoor to allow remote access to the computer. 

Based on seeing the P2P software and subsequent P2P worm on your computer, I suspect that was the source of this infection.  Based on reading that at least one of the files on your computer is a back door, my advice to you is to do a clean install of the operating system as there are no guarantees that your system will be completely clean. 

Seeing as we have gotten this far, however, I do want to provide instructions for the files shown in the Kaspersky scan.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

Folder::
C:\ProgramData\loraleka
C:\ProgramData\wajejofu
C:\Users\All Users\loraleka
C:\Users\All Users\wajejofu


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



This threat is classified as a Trojan - Dropper. As its name suggests, a dropper trojan contains malicious or potentially unwanted software which it 'drops' and installs on the affected system. Commonly, the dropper installs a backdoor which allows remote, surreptitious access to infected systems. This backdoor may then be used by remote attackers to upload and install further malicious or potentially unwanted software on the system.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages 1 2
User actions