Thread: Firefox/IE isn't working & has malware pop-ups
View Single Post
Old 08-05-2008, 09:43 PM   #4 (permalink)
ElessarDunadan
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Windows XP SP2


Re: Firefox/IE isn't working & has malware pop-ups
Thanks for the info on BitDefender and Spybot. I'll take care of those when we're done.

Here is my ComboFix.txt:

ComboFix 08-07-28.6 - Family 2008-07-29 11:06:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.482 [GMT -6:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BMabd9e110.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\DghQqBeg.ini
C:\WINDOWS\system32\DghQqBeg.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\qnatngff.ini
C:\WINDOWS\system32\qnpdtvrh.ini
C:\WINDOWS\system32\qoMggdCr.dll
C:\WINDOWS\system32\raekpyrs.ini
C:\WINDOWS\system32\vtUmJCTK.dll
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-29 10:48 . 2008-07-29 10:48 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Bitdefender
2008-07-29 10:31 . 2008-07-29 10:31 <DIR> d-------- C:\Program Files\Softwin
2008-07-28 21:50 . 2008-07-28 21:50 113,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-28 19:49 . 2008-07-29 09:50 111,635 --a------ C:\WINDOWS\BMabd9e110.xml
2008-07-28 19:49 . 2008-07-28 19:49 91,648 --a------ C:\WINDOWS\system32\roeiyidj.dll
2008-07-28 19:47 . 2008-07-28 19:47 314,880 --a------ C:\WINDOWS\system32\geBqQhgD.dll
2008-07-28 19:42 . 2008-07-28 20:14 <DIR> d-------- C:\WINDOWS\RmFtaWx5
2008-07-28 19:42 . 2008-07-28 19:42 <DIR> d-------- C:\Temp\epr1
2008-07-27 09:07 . 2008-07-27 09:07 132 --a------ C:\WINDOWS\liveup.ini
2008-07-26 09:45 . 2008-07-26 09:45 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-24 19:15 . 2008-07-24 19:17 <DIR> d-------- C:\Program Files\Strawberry Prolog
2008-07-20 21:12 . 2008-07-20 21:30 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-19 21:10 . 2008-07-19 21:10 <DIR> d-------- C:\Program Files\Safari
2008-06-29 16:45 . 2006-01-30 10:00 442,368 -ra------ C:\WINDOWS\system32\ZSHP1020.EXE
2008-06-29 16:45 . 2006-01-30 10:00 128,820 -ra------ C:\WINDOWS\system32\hp1020.img
2008-06-29 16:45 . 2006-01-30 10:00 106,496 -ra------ C:\WINDOWS\system32\VSHP1020.DLL
2008-06-29 16:45 . 2006-01-28 10:00 102,400 --a------ C:\WINDOWS\system32\ZLhp1020.dll
2008-06-29 16:45 . 2006-01-28 10:00 86,016 --a------ C:\WINDOWS\system32\ZSPOOL.DLL
2008-06-29 16:45 . 2006-01-28 10:00 28,672 --a------ C:\WINDOWS\system32\zlm.dll
2008-06-29 16:45 . 2006-01-28 10:00 28,672 --a------ C:\WINDOWS\system32\IMF32.DLL
2008-06-29 16:45 . 2006-01-28 10:00 24,576 --a------ C:\WINDOWS\system32\ZTAG32.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-29 16:31 --------- d-----w C:\Program Files\Common Files\Softwin
2008-07-29 04:28 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-23 02:24 --------- d-----w C:\Program Files\HiDownload
2008-07-20 04:25 --------- d-----w C:\Documents and Settings\Family\Application Data\Apple Computer
2008-07-20 03:17 --------- d-----w C:\Program Files\QuickTime
2008-07-20 03:04 --------- d-----w C:\Program Files\Apple Software Update
2008-07-11 01:02 --------- d-----w C:\Program Files\Winamp
2008-07-05 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AGS Demo Game
2008-07-01 17:21 --------- d-----w C:\Program Files\NoteWorthy Composer
2008-06-27 01:41 --------- d-----w C:\Documents and Settings\Family\Application Data\ICAClient
2008-05-22 04:29 906 ----a-w C:\Documents and Settings\Family\Application Data\wklnhst.dat
2006-09-22 15:42 421,888 ----a-w C:\Program Files\putty.exe
2005-02-04 02:35 5,808 ----a-w C:\Program Files\dad.rvn
2005-02-02 22:21 7,387 ----a-w C:\Program Files\ryan.rvn
2005-02-02 22:00 7,190 ----a-w C:\Program Files\keri.rvn
2000-01-15 23:03 4,770 ----a-w C:\Program Files\SOUND.DRV
2000-01-15 23:03 14,743 ----a-w C:\Program Files\MUSIC.DRV
2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
2008-02-20 02:51 56 --sh--r C:\WINDOWS\system32\401AA90494.sys
2008-02-20 02:51 9,188 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19ECDF66-ED80-4586-95D9-41688F47F74D}]
2008-07-28 19:47 314880 --a------ C:\WINDOWS\system32\geBqQhgD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IECheck"="C:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2008-03-16 11:38 207360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 15:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 14:49 69632]
"BMabd9e110"="C:\WINDOWS\system32\roeiyidj.dll" [2008-07-28 19:49 91648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uakos"="C:\Documents and Settings\Family\Application Data\F?nts\j?vaw.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
"NI.UGA6P_0001_N122M2802"="C:\DOCUME~1\Family\LOCALS~1\Temp\winvsnet.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"BMabd9e110"=Rundll32.exe "C:\WINDOWS\system32\roeiyidj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-03-13 14:10]
S3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 16:13]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ca/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 -: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O9 -: {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 -: Trusted Zone: *.amaena.com
O15 -: Trusted Zone: *.avsystemcare.com
O15 -: Trusted Zone: *.onerateld.com
O15 -: Trusted Zone: *.safetydownload.com
O15 -: Trusted Zone: *.trustedantivirus.com
O15 -: Trusted Zone: *.virusschlacht.com

O16 -: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://engrwww.usask.ca/department/service/ecc/computer_labs/UsageDisplay/ts/msrdp.cab
C:\WINDOWS\Downloaded Program Files\msrdp.inf
C:\WINDOWS\Downloaded Program Files\msrdp.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 11:16:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\roeiyidj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-29 11:22:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 17:22:17
ComboFix2.txt 2008-04-03 20:48:08

Pre-Run: 246,163,214,336 bytes free
Post-Run: 246,385,917,952 bytes free

229
Last edited by tetonbob; 08-05-2008 at 09:46 PM. Reason: removed quote tags; makes logs harder to read
ElessarDunadan is offline