Thread: Forced to download Firefox
View Single Post
Old 12-03-2007, 07:44 PM   #13 (permalink)
menk
Registered User
 
Join Date: Nov 2007
Posts: 10
OS: xp sp2


Re: Forced to download Firefox
For a moment I thought I had lost it! I also thought you would ask about avast; I uninstalled it since it couldn't remove the malware. I'll install another asap. Appreciate your concern.

ComboFix 07-12-02.7 - yangyq 2007-12-04 9:44:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT 8:00]
Running from: C:\Documents and Settings\yangyq\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\yangyq\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\askerserkb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\askerserkb.dll
C:\WINDOWS\inituusee.exe
C:\WINDOWS\mhqq.exe
C:\WINDOWS\system32\evxluuuxvnfpu.dll
C:\WINDOWS\system32\wseqxvis.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 17:54 . 2007-12-03 17:54 24,576 --a------ C:\WINDOWS\my_70201.exe
2007-12-03 13:12 . 2007-12-03 13:12 <DIR> d-------- C:\Deckard
2007-12-03 00:17 . 2007-12-03 00:17 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-28 18:37 . 2007-11-28 18:38 209 --a------ C:\WINDOWS\ie.ini
2007-11-28 18:36 . 2007-11-28 18:36 <DIR> d-------- C:\Program Files\Windows Live
2007-11-28 18:36 . 2007-11-28 18:36 449,024 --a------ C:\WINDOWS\SlientInstall2143.exe
2007-11-28 18:36 . 2007-11-28 18:36 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-28 17:59 . 2007-12-03 17:54 239 --a------ C:\WINDOWS\system32\rsfunser.ini
2007-11-28 13:34 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2007-11-27 21:08 . 2006-12-16 00:04 258,048 -ra------ C:\WINDOWS\system32\SET277.tmp
2007-11-27 20:38 . 2007-11-27 20:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-27 19:48 . 2007-11-27 21:24 130,920 --a------ C:\WINDOWS\hpoins12.dat
2007-11-27 19:48 . 2007-01-23 00:05 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-11-27 19:40 . 2007-11-27 19:15 154,010 --------- C:\WINDOWS\hpoins14.dat
2007-11-27 19:40 . 2007-09-20 23:56 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-11-27 18:35 . 2007-11-27 18:35 <DIR> d-------- C:\Documents and Settings\yangyq\Application Data\HPAppData
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-11-27 15:57 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-11-24 14:41 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-11-24 14:41 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-11-14 21:23 . 2007-11-21 17:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-11-04 18:35 . 2007-11-27 20:46 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-04 18:31 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 01:53 18,042,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-04 01:52 5,063,851 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-04 01:51 212,468 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 16:11 --------- d-----w C:\Program Files\Symantec
2007-12-02 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 10:36 --------- d-----w C:\Program Files\MSN Messenger
2007-11-28 06:26 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Creative
2007-11-28 04:48 --------- d-----w C:\Program Files\Creative
2007-11-27 13:39 --------- d-----w C:\Program Files\HP
2007-11-27 12:56 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Image Zone Express
2007-11-27 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-25 05:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-25 05:34 --------- d-----w C:\Program Files\Google
2007-11-25 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 05:25 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Samsung
2007-11-25 05:20 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-22 12:43 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-06 06:07 --------- d-----w C:\Documents and Settings\yangyq\Application Data\HP
2007-11-03 01:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\Printer Info Cache
2007-11-02 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-02 08:58 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-02 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 13:35 --------- d-----w C:\Documents and Settings\yangyq\Application Data\NCH Swift Sound
2007-10-11 04:48 --------- d-----w C:\Program Files\ANI
2007-10-10 00:41 20,912,795 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_22_36_25_full.dmp.zip
2007-10-09 14:06 17,951,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_09_20_56_05_full.dmp.zip
2007-10-01 02:50 20,925,876 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_10_46_50_full.dmp.zip
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-17 15:34 34 --sh--w C:\Program Files\DLD.DAT
2005-04-29 09:27 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-03_16.59.16.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-03 08:57:25 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 01:53:30 214,365 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 01:53:34 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-11 16:04]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Spyware Doctor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 20:00 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 21:52 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R2 BaseTDI;Rising TDI Base Driver;C:\WINDOWS\system32\DRIVERS\BaseTDI.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 09:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 9:56:49 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-03 17:01
.
--- E O F ---
menk is offline