Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Firefox browser hijack and flash drive folders becoming .exe
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 06-16-2009, 11:46 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Firefox browser hijack and flash drive folders becoming .exe
Hi,

I'd really appreciate your help. I've had a virus on my computer for a while that hijacks my Firefox browser.

It comes from the process XP-04c704a7.exe which is executed at startup or whenever I connect my flash drive or external hard drive. It also turns the folders on these external drives to .exe files. I cannot delete the file, but I can close it and it won't re-start until I do either of the above. I've got Spybot which finds and removes it - but it then just returns on startup.

I'd massively appreciate any help.

Thanks



Not sure if this helps, but these are the redirects the virus initiates:
hxxp://ww1.866-86.cn/a/a1.htm
hxxp://ww1.866-86.cn/a/a2.htm
hxxp://ww1.866-86.cn/a/a4.htm
hxxp://ww2.866-86.cn/a/a2.htm
hxxp://ww2.866-86.cn/a/a3.htm
hxxp://ww2.866-86.cn/a/a4.htm
hxxp://ww2.866-86.cn/a3.htm
hxxp://ww2.866-86.cn/a4.htm
hxxp://ww3.866-86.cn/a/a4.htm
hxxp://ww3.866-86.cn/a1.htm
hxxp://ww3.866-86.cn/a3.htm
hxxp://ww4.866-86.cn/a/a1.htm
hxxp://ww4.866-86.cn/a/a4.htm
hxxp://ww4.866-86.cn/a2.htm
hxxp://ww5.866-86.cn/a/a1.htm
hxxp://ww5.866-86.cn/a/a3.htm
hxxp://ww5.866-86.cn/a/a4.htm
hxxp://ww6.866-86.cn/a2.htm
hxxp://ww6.866-86.cn/a3.htm
hxxp://ww6.866-86.cn/a4.htm
hxxp://ww7.866-86.cn/a/a1.htm
hxxp://ww7.866-86.cn/a/a2.htm
hxxp://ww7.866-86.cn/a1.htm
hxxp://ww8.866-86.cn/a/a2.htm
hxxp://ww8.866-86.cn/a/a4.htm
hxxp://ww8.866-86.cn/a2.htm
hxxp://ww9.866-86.cn/a/a3.htm
hxxp://ww9.866-86.cn/a1.htm
hxxp://ww9.866-86.cn/a2.htm
hxxp://ww9.866-86.cn/a4.htm



DDS (Ver_09-05-14.01) - NTFSx86
Run by NICKATTACK at 17:14:06.48 on Wed 06/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.415 [GMT 12:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\XP-04C704A7.EXE
C:\Documents and Settings\NICKATTACK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.cn/
uSearch Page = hxxp://search.bearshare.com/search/index.html?src=ssb
uSearch Bar = hxxp://search.bearshare.com/search/index.html?src=ssb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://search.bearshare.com/search/index.html?src=ssb
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NAV CfgWiz] c:\program files\common files\symantec shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [oxbvpen] c:\windows\system32\gwthtis.exe
mRun: [udjudwq] c:\windows\system32\sybqnub.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi"
dRunOnce: [supportdir] cmd /c "rmdir /q /s "c:\windows\temp\{7726CF62-7B45-4E6D-9266-615346816BCA}""
StartupFolder: c:\docume~1\nickat~1\startm~1\programs\startup\75cd~1.lnk - c:\windows\system32\XP-04C704A7.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-system: DisableRegedit = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162072394383
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: N/A: {a93a4625-6216-499c-b360-bbd0a7c0d479} - c:\program files\common files\microsoft shared\msinfo\QQGS1.dll
SEH: N/A: {c5e87a05-f463-4841-b19e-dd3ec3862368} - c:\program files\internet explorer\IEXPLORE32.Sys
SEH: N/A: {ee12d60d-ad9a-4095-b839-3be6862679fd} - c:\program files\internet explorer\IEXPLORE32.Dat
SEH: N/A: {a45b2c37-01d0-4d3e-be5e-cc119b17be9e} - c:\program files\internet explorer\IEXPLORE32.win
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: N/A: {d544c22d-1f70-4b1e-873d-d8dabeb26695} - c:\program files\common files\microsoft shared\msinfo\atmQQ2.dll
LSA: Notification Packages = scecli csspwntfy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nickat~1\applic~1\mozilla\firefox\profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2006-8-21 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-9-21 58568]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-9-21 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-9-21 6016]
R1 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2006-10-6 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2006-10-6 37000]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-9-21 15360]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-10-6 255648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-10-6 235168]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-4-29 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2006-8-21 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2006-9-23 158664]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-16 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-9-21 4433]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-8-21 3968]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061004.009\NAVENG.Sys [2006-10-6 79240]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061004.009\NavEx15.Sys [2006-10-6 831880]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-25 66784]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2006-10-6 87712]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [2007-6-14 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [2007-6-14 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-5-29 30946]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2006-10-6 194272]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2006-7-15 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2007-7-10 55840]

=============== Created Last 30 ================

2009-06-17 17:13 1,514,733 ---shr-- c:\windows\system32\XP-04C704A7.EXE
2009-06-16 15:43 <DIR> --d----- c:\docume~1\nickat~1\applic~1\Autodesk
2009-06-15 07:19 1,089,601 -------- c:\windows\system32\dllcache\ntprint.cat
2009-06-14 22:32 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-06-14 22:30 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-06-14 22:14 <DIR> --d----- c:\program files\Autodesk
2009-06-14 22:13 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-06-14 22:13 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-06-14 22:13 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-06-14 22:13 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-06-14 22:13 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-06-14 22:13 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-06-14 22:13 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll
2009-06-14 22:13 443,752 a------- c:\windows\system32\d3dx10_34.dll
2009-06-14 22:13 3,497,832 a------- c:\windows\system32\d3dx9_34.dll
2009-06-14 22:13 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-06-14 22:13 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-06-14 22:13 <DIR> --d----- c:\windows\Logs
2009-06-14 22:11 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-14 22:10 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 22:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-14 22:10 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 22:10 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-14 22:10 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 22:10 <DIR> --d----- C:\9d3084bc6b5eda843311eef063d0
2009-06-14 22:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-14 22:10 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 22:09 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-14 22:05 <DIR> --d----- c:\program files\MSXML 6.0
2009-06-14 21:41 <DIR> --d----- C:\Autodesk
2009-05-24 00:13 <DIR> --d----- c:\program files\common files\Macromedia Shared
2009-05-23 23:05 <DIR> --d----- c:\program files\Macromedia

==================== Find3M ====================

2009-06-17 17:13 2,404 a--sh--- c:\windows\system32\ul.dll
2009-05-08 03:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-08 03:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 16:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 16:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 16:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 16:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 16:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 16:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 16:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 16:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 16:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 16:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 16:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 21:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 21:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 17:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 17:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 21:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 21:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 03:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-16 03:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-22 02:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2008-05-29 23:36 2 a--shrot c:\windows\winstart.bat
2007-05-23 16:23 46,526 ---sh--- c:\windows\system32\meex.com
2007-05-23 16:23 46,526 a--sh--- c:\windows\system32\sybqnub.exe.ren
2009-03-04 17:50 0 ---sh--- c:\windows\system32\wemtareg.exe
2009-03-05 09:38 20,992 ---sh--- c:\windows\system32\wemtoreg.exe
2009-02-21 12:31 20,992 ---sh--- c:\windows\system32\wimtareg.exe
2009-02-20 08:13 20,992 ---sh--- c:\windows\system32\wimzareg.exe
2008-10-15 12:07 15,360 ---sh--- c:\windows\system32\winmcreg.exe
2008-10-26 06:01 15,360 ---sh--- c:\windows\system32\winncreg.exe
2008-11-13 15:49 15,872 ---sh--- c:\windows\system32\winqcreg.exe
2008-11-21 12:57 16,384 ---sh--- c:\windows\system32\winrcreg.exe
2008-11-26 08:08 16,384 ---sh--- c:\windows\system32\winscreg.exe
2008-12-04 19:58 16,896 ---sh--- c:\windows\system32\winucreg.exe
2008-12-10 08:39 16,896 ---sh--- c:\windows\system32\winxcreg.exe
2008-12-16 15:26 16,896 ---sh--- c:\windows\system32\winzcreg.exe
2009-03-11 09:27 20,992 ---sh--- c:\windows\system32\wtitoreg.exe
2009-03-09 10:06 20,992 ---sh--- c:\windows\system32\wtmtoreg.exe

============= FINISH: 17:15:02.49 ===============
Attached Files
File Type: zip attach.zip (4.9 KB, 2 views)
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-17-2009, 06:09 PM   #2 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Also, I have just noticed I have a shortcut in my startup called 'iiiiii' which links to the XP-04c704a7.exe file. If i delete 'iiiiii' it just returns the next time I restart my computer.

Thanks.
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 11:26 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Hello niksgt,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2009, 06:05 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Thanks for your help! I disabled Norton and Spybot and ran ComboFix. It completed the scan in about 10mins, but then once it started writing the log I had a pop up warning - too fast to read sorry - and then ComboFix appeared to stop working. I waited for half an hour with no sign of activity. Tried to shut ComboFix down and the computer crashed. Now I've reset and it seems to have defeated the file I was worried about but hasn't produced a logfile. What should I do next?
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2009, 06:28 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Sorry, upon restart I ran ComboFix again and it worked fine this time:

ComboFix 09-06-17.04 - NICKATTACK 06/19/2009 0:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.613 [GMT 12:00]
Running from: c:\documents and settings\NICKATTACK\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 08:17 . 2009-06-18 08:17 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\WMTools Downloaded Files
2009-06-16 03:43 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Autodesk
2009-06-16 02:08 . 2009-06-16 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 02:07 . 2009-06-16 02:07 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\Autodesk
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-14 10:30 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-14 10:27 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-14 10:14 . 2009-06-14 10:33 -------- d-----w- c:\program files\Autodesk
2009-06-14 10:13 . 2008-07-30 22:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-06-14 10:13 . 2008-07-30 22:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-06-14 10:13 . 2008-07-30 22:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-06-14 10:13 . 2008-07-11 20:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-06-14 10:13 . 2007-05-16 04:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-06-14 10:13 . 2006-11-29 01:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-06-14 10:13 . 2006-09-28 04:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- c:\windows\Logs
2009-06-14 10:12 . 2009-06-17 05:08 258584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\MSBuild
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\Reference Assemblies
2009-06-14 10:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-14 10:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 10:10 . 2009-06-14 10:11 -------- d-----w- C:\9d3084bc6b5eda843311eef063d0
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 10:09 . 2009-06-17 05:09 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-14 10:05 . 2009-06-14 10:05 -------- d-----w- c:\program files\MSXML 6.0
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- C:\Autodesk
2009-06-12 11:07 . 2009-06-14 00:31 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Download Manager
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-05-23 11:05 . 2009-05-23 12:12 -------- d-----w- c:\program files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 08:16 . 2006-11-12 02:11 -------- d-----w- c:\program files\Soulseek
2009-06-18 01:34 . 2008-02-22 08:19 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Azureus
2009-06-17 11:51 . 2008-11-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-17 10:52 . 2008-10-08 01:21 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\foobar2000
2009-06-17 04:35 . 2008-10-19 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 03:44 . 2006-09-22 04:40 79080 ----a-w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 23:04 . 2006-11-08 07:36 -------- d-----w- c:\program files\Last.fm
2009-05-25 14:50 . 2008-02-22 08:16 -------- d-----w- c:\program files\Azureus
2009-05-23 12:12 . 2006-09-21 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-10-06 00:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 23:37 . 2009-03-20 23:38 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2006-05-06 16:42 . 2006-10-26 01:20 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2008-05-29 11:36 . 2008-05-29 11:36 2 --shatr- c:\windows\winstart.bat
2007-05-23 04:23 . 2007-08-28 20:09 46526 --sha-w- c:\windows\system32\sybqnub.exe.ren
2009-03-04 05:50 . 2009-03-04 05:50 0 --sh--w- c:\windows\system32\wemtareg.exe
2009-03-04 21:38 . 2009-03-04 21:38 20992 --sh--w- c:\windows\system32\wemtoreg.exe
2009-02-21 00:31 . 2009-02-21 00:31 20992 --sh--w- c:\windows\system32\wimtareg.exe
2009-02-19 20:13 . 2009-02-19 20:13 20992 --sh--w- c:\windows\system32\wimzareg.exe
2008-10-15 00:07 . 2008-10-15 00:07 15360 --sh--w- c:\windows\system32\winmcreg.exe
2008-10-25 18:01 . 2008-10-25 18:01 15360 --sh--w- c:\windows\system32\winncreg.exe
2008-11-13 03:49 . 2008-11-13 03:49 15872 --sh--w- c:\windows\system32\winqcreg.exe
2008-11-21 00:57 . 2008-11-21 00:57 16384 --sh--w- c:\windows\system32\winrcreg.exe
2008-11-25 20:08 . 2008-11-25 20:08 16384 --sh--w- c:\windows\system32\winscreg.exe
2008-12-04 07:58 . 2008-12-04 07:58 16896 --sh--w- c:\windows\system32\winucreg.exe
2008-12-09 20:39 . 2008-12-09 20:39 16896 --sh--w- c:\windows\system32\winxcreg.exe
2008-12-16 03:26 . 2008-12-16 03:26 16896 --sh--w- c:\windows\system32\winzcreg.exe
2009-03-10 21:27 . 2009-03-10 21:27 20992 --sh--w- c:\windows\system32\wtitoreg.exe
2009-03-08 22:06 . 2009-03-08 22:06 20992 --sh--w- c:\windows\system32\wtmtoreg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 581632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 394752]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 581632]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-10-05 100056]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-12-17 102400]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave5"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 8:04 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/21/2006 6:21 PM 58568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/21/2006 6:21 PM 15360]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [4/29/2008 10:09 PM 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/21/2006 8:44 PM 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/16/2005 8:11 AM 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/21/2006 6:21 PM 4433]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/21/2006 8:10 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [6/14/2007 9:20 PM 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [6/14/2007 9:20 PM 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/29/2008 11:38 PM 30946]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [7/15/2006 11:37 AM 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [7/10/2007 9:06 PM 55840]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-09-21 08:36]

2009-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-12 09:42]

2009-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]

2009-06-12 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-22 01:22]

2006-09-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-21 00:17]

2009-06-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 10:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BMMLREF - c:\program files\ThinkPad\Utilities\BMMLREF.EXE
HKLM-Run-DigidesignMMERefresh - c:\program files\Digidesign\Drivers\MMERefresh.exe
HKLM-Run-oxbvpen - c:\windows\system32\gwthtis.exe
HKLM-Run-udjudwq - c:\windows\system32\sybqnub.exe
HKLM-Run-XP-04C704A7 - c:\windows\system32\XP-04C704A7.EXE
ShellExecuteHooks-{A93A4625-6216-499C-B360-BBD0A7C0D479} - c:\program files\Common Files\Microsoft Shared\MSINFO\QQGS1.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.cn/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\NICKATTACK\Application Data\Mozilla\Firefox\Profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 00:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(2180)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\mshtml.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-18 0:25
ComboFix-quarantined-files.txt 2009-06-18 12:24

Pre-Run: 6,806,904,832 bytes free
Post-Run: 6,788,554,752 bytes free

255 --- E O F --- 2009-06-15 15:01
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2009, 06:39 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Hello niksgt,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/386275-firefox-browser-hijack-flash-drive-folders-becoming-exe.html#post2195962

Collect::
c:\windows\system32\wemtoreg.exe
c:\windows\system32\sybqnub.exe.ren
c:\windows\system32\winmcreg.exe
c:\windows\system32\winncreg.exe
c:\windows\system32\wimtareg.exe
c:\windows\system32\wimzareg.exe
c:\windows\system32\winqcreg.exe
c:\windows\system32\winrcreg.exe
c:\windows\system32\winscreg.exe
c:\windows\system32\winucreg.exe
c:\windows\system32\winxcreg.exe
c:\windows\system32\winzcreg.exe
c:\windows\system32\wtitoreg.exe
c:\windows\system32\wtmtoreg.exe

File::
c:\windows\winstart.bat
c:\windows\system32\wemtareg.exe

FileLook::
c:\windows\system32\drivers\koreavs.sys

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"=-
"supportdir"=-
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 05:59 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Hi Ried,

Thanks for your help. Sorry about the delay in my reply, I haven't had a chance to follow this up.

My system is behaving fine now. One problem though:
-my flash drives and external drives still have their folders as .exe files, i can access them through typing the path into explorer, but not through clicking or opening them. Also, another computer I put one of my flash drives into the other day said the flash drive has a virus - w32/sillyFDC . My computer doesn't seem to recognise this.

Also, combofix seems to have a lot of problems when it runs on my machine. this time around, first time it reset the computer part way through, second time it told me to write down c:\windows\temp\logishrd\LVPrcInj01.dll for your review.
It then told me it was going to reset the computer - except it didn't reset the computer and completed the scan. It also claimed it couldn't read 'whitedir.dat' , I guess this will be in the logfile though.

Many thanks for your help.

-----------------------------------------------------------------------


ComboFix 09-07-09.06 - NICKATTACK 07/10/2009 15:33.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.676 [GMT 12:00]
Running from: c:\documents and settings\NICKATTACK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NICKATTACK\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.
The following files were disabled during the run:
c:\windows\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
---- Previous Run -------
.
c:\windows\Installer\62f4a.msi
c:\windows\system32\sybqnub.exe.ren
c:\windows\system32\wemtareg.exe
c:\windows\system32\wemtoreg.exe
c:\windows\system32\wimtareg.exe
c:\windows\system32\wimzareg.exe
c:\windows\system32\winmcreg.exe
c:\windows\system32\winncreg.exe
c:\windows\system32\winqcreg.exe
c:\windows\system32\winrcreg.exe
c:\windows\system32\winscreg.exe
c:\windows\system32\winucreg.exe
c:\windows\system32\winxcreg.exe
c:\windows\system32\winzcreg.exe
c:\windows\system32\wtitoreg.exe
c:\windows\system32\wtmtoreg.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 03:43 . 2003-02-20 16:03 -------- d-----w- c:\program files\Common Files
2009-07-10 03:42 . 2003-02-20 16:18 2048 --s-a-w- c:\windows\bootstat.dat
2009-07-10 03:42 . 2006-09-21 05:55 1610612736 --sha-w- C:\pagefile.sys
2009-07-10 03:41 . 2006-09-21 06:55 11272192 ---ha-w- c:\documents and settings\NICKATTACK\NTUSER.DAT
2009-07-10 03:41 . 2003-02-20 16:20 233472 ---ha-w- c:\documents and settings\LocalService\NTUSER.DAT
2009-07-10 03:41 . 2003-02-20 16:20 233472 ---ha-w- c:\documents and settings\NetworkService\NTUSER.DAT
2009-07-10 03:26 . 2009-07-10 03:26 388608 ----a-w- c:\windows\system32\CF18450.exe
2009-07-10 03:22 . 2006-10-26 01:19 -------- d-----w- c:\program files\Mozilla Firefox
2009-07-10 02:06 . 2006-11-12 02:11 -------- d-----w- c:\program files\Soulseek
2009-07-09 12:30 . 2008-11-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-04 17:07 . 2008-12-09 04:26 -------- d-----w- c:\program files\DVDlabPro2
2009-07-01 03:52 . 2006-10-29 00:41 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\AdobeUM
2009-06-30 06:59 . 2007-11-02 06:22 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Skype
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-22 03:50 . 2008-10-08 01:21 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\foobar2000
2009-06-20 15:00 . 2009-06-20 15:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-19 09:40 . 2009-06-19 09:37 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\program files\Logitech
2009-06-18 11:19 . 2003-02-20 16:10 -------- d-----w- c:\program files\Internet Explorer
2009-06-18 01:34 . 2008-02-22 08:19 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Azureus
2009-06-17 05:09 . 2003-02-20 16:02 385624 ----a-w- c:\windows\system32\FNTCACHE.DAT
2009-06-17 05:08 . 2009-06-14 10:12 258584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-17 04:35 . 2008-10-19 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 03:44 . 2006-09-22 04:40 79080 ----a-w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 03:43 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Autodesk
2009-06-16 03:43 . 2009-06-14 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-16 02:08 . 2009-06-16 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-14 10:33 . 2009-06-14 10:14 -------- d-----w- c:\program files\Autodesk
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-14 10:32 . 2009-06-14 10:30 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-14 10:12 . 1980-01-01 07:00 71462 ----a-w- c:\windows\system32\perfc009.dat
2009-06-14 10:12 . 1980-01-01 07:00 441692 ----a-w- c:\windows\system32\perfh009.dat
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\MSBuild
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\Reference Assemblies
2009-06-14 10:05 . 2009-06-14 10:05 -------- d-----w- c:\program files\MSXML 6.0
2009-06-14 00:31 . 2009-06-12 11:07 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Download Manager
2009-06-07 20:10 . 2009-06-18 11:11 155136 ----a-w- c:\windows\PEV.exe
2009-06-06 23:04 . 2006-11-08 07:36 -------- d-----w- c:\program files\Last.fm
2009-06-01 16:51 . 2006-10-05 23:26 23635392 ----a-w- c:\windows\system32\MRT.exe
2009-05-25 14:50 . 2008-02-22 08:16 -------- d-----w- c:\program files\Azureus
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-05-23 12:13 . 2006-09-22 04:24 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Macromedia
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macromedia
2009-05-23 12:12 . 2009-05-23 11:05 -------- d-----w- c:\program files\Macromedia
2009-05-23 12:12 . 2006-09-21 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:56 . 1980-01-01 07:00 233472 ----a-w- c:\windows\system32\webcheck.dll
2009-04-29 04:56 . 2006-08-31 03:42 1159680 ----a-w- c:\windows\system32\urlmon.dll
2009-04-29 04:56 . 1980-01-01 07:00 671232 ------w- c:\windows\system32\mstime.dll
2009-04-29 04:56 . 1980-01-01 07:00 44544 ----a-w- c:\windows\system32\pngfilt.dll
2009-04-29 04:56 . 1980-01-01 07:00 105984 ----a-w- c:\windows\system32\url.dll
2009-04-29 04:56 . 1980-01-01 07:00 102912 ------w- c:\windows\system32\occache.dll
2009-04-29 04:56 . 2006-06-30 17:28 3596288 ----a-w- c:\windows\system32\mshtml.dll
2009-04-29 04:56 . 1980-01-01 07:00 477696 ----a-w- c:\windows\system32\mshtmled.dll
2009-04-29 04:56 . 1980-01-01 07:00 193024 ------w- c:\windows\system32\msrating.dll
2009-04-28 09:05 . 2007-08-13 05:39 13824 ----a-w- c:\windows\system32\ieudinit.exe
2009-04-28 09:05 . 1980-01-01 07:00 70656 ------w- c:\windows\system32\ie4uinit.exe
2009-04-25 05:26 . 1980-01-01 07:00 161792 ------w- c:\windows\system32\ieakui.dll
2009-04-20 00:56 . 2009-06-18 11:11 31232 ----a-w- c:\windows\NIRCMD.exe
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 09:24 . 2005-05-17 00:43 351744 ----a-w- c:\windows\system32\xpsp3res.dll
2006-05-06 16:42 . 2006-10-26 01:20 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\koreavs.sys ---
Company: Native Instruments GmbH
File Description: Native Instruments WDM Audio Driver (AVStream)
File Version: 1.1.3.0
Product Name: Kore Controller
Copyright: Copyright ฉ 2005, 2006 by Native Instruments GmbH
Original Filename: ni_avs.sys
File size: 25088
Created time: 2007-06-14 09:20
Modified time: 2006-03-22 21:54
MD5: 0E1A03FC2C062087B5F4A7118426FEC2
SHA1: EB864C5E14809CDC275F0E021498D303C28255A6


((((((((((((((((((((((((((((( SnapShot_2009-06-21_13.17.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-09-21 06:31 . 2006-09-21 06:31 80896 c:\windows\Installer\d99d.msi
+ 2008-07-29 09:07 . 2008-07-29 09:07 23040 c:\windows\Installer\b40531a.msp
+ 2009-06-14 10:08 . 2009-06-14 10:08 88576 c:\windows\Installer\b3a6ec9.msi
+ 2009-06-14 10:12 . 2009-06-14 10:12 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2006-09-21 06:33 . 2006-09-21 06:33 520192 c:\windows\Installer\d9ef.msi
+ 2006-09-21 06:33 . 2006-09-21 06:33 389120 c:\windows\Installer\d9e9.msi
+ 2006-09-21 06:33 . 2006-09-21 06:33 586752 c:\windows\Installer\d9e2.msi
+ 2006-09-21 06:33 . 2006-09-21 06:33 435200 c:\windows\Installer\d9dc.msi
+ 2006-09-21 06:33 . 2006-09-21 06:33 983040 c:\windows\Installer\d9d6.msi
+ 2006-09-21 06:32 . 2006-09-21 06:32 252416 c:\windows\Installer\d9c5.msi
+ 2006-09-21 06:32 . 2006-09-21 06:32 690688 c:\windows\Installer\d9b5.msi
+ 2006-09-21 06:31 . 2006-09-21 06:31 314368 c:\windows\Installer\d9a9.msi
+ 2006-09-21 06:31 . 2006-09-21 06:31 279552 c:\windows\Installer\d997.msi
+ 2006-09-21 06:30 . 2006-09-21 06:30 351232 c:\windows\Installer\d991.msi
+ 2003-02-20 16:20 . 2003-02-20 16:21 264704 c:\windows\Installer\c4fb.msi
+ 2009-06-14 10:13 . 2009-06-14 10:13 648192 c:\windows\Installer\b419303.msi
+ 2008-07-29 09:23 . 2008-07-29 09:23 250880 c:\windows\Installer\b405323.msp
+ 2008-07-29 09:28 . 2008-07-29 09:28 278016 c:\windows\Installer\b405321.msp
+ 2008-07-29 07:40 . 2008-07-29 07:40 291840 c:\windows\Installer\b40531f.msp
+ 2009-06-14 10:12 . 2009-06-14 10:12 137728 c:\windows\Installer\b405319.msi
+ 2008-07-29 05:35 . 2008-07-29 05:35 553472 c:\windows\Installer\b3a6ece.msp
+ 2008-07-29 05:33 . 2008-07-29 05:33 506368 c:\windows\Installer\b3a6ecc.msp
+ 2008-07-29 05:37 . 2008-07-29 05:37 911360 c:\windows\Installer\b3a6ecb.msp
+ 2009-06-14 10:02 . 2009-06-14 10:02 228352 c:\windows\Installer\b386602.msi
+ 2008-10-19 23:52 . 2008-10-19 23:52 518656 c:\windows\Installer\a6ccf6e.msi
+ 2006-12-08 09:05 . 2006-12-08 09:05 188416 c:\windows\Installer\a379d7.msi
+ 2006-10-05 23:55 . 2006-10-05 23:55 305152 c:\windows\Installer\9ae6b.msi
+ 2007-08-23 11:24 . 2007-08-23 11:24 431104 c:\windows\Installer\922a5d.msi
+ 2009-06-20 15:00 . 2009-06-20 15:00 470528 c:\windows\Installer\90846e7.msi
+ 2008-04-29 10:09 . 2008-04-29 10:09 652288 c:\windows\Installer\87d403.msi
+ 2006-10-05 23:28 . 2006-10-05 23:28 430080 c:\windows\Installer\7ee86.msi
+ 2009-03-23 07:52 . 2009-03-23 07:52 355328 c:\windows\Installer\6f90575.msi
+ 2007-11-01 10:07 . 2007-11-01 10:07 390656 c:\windows\Installer\606cfe4.msi
+ 2006-10-28 20:16 . 2006-10-28 20:16 559104 c:\windows\Installer\5aebe4f.msi
+ 2008-11-13 00:17 . 2008-11-13 00:17 432640 c:\windows\Installer\5232ab2.msi
+ 2007-11-27 07:54 . 2007-11-27 07:54 537600 c:\windows\Installer\50dd7.msi
+ 2008-05-18 02:49 . 2008-05-18 02:49 599040 c:\windows\Installer\4fe2ac.msi
+ 2008-06-11 02:02 . 2008-06-11 02:02 830464 c:\windows\Installer\4a1fac73.msp
+ 2008-07-28 02:59 . 2008-07-28 02:59 180736 c:\windows\Installer\4a1fac5e.msp
+ 2006-11-19 10:54 . 2006-11-19 10:54 428544 c:\windows\Installer\41d8ba.msi
+ 2008-10-08 03:53 . 2008-10-08 03:53 213504 c:\windows\Installer\25223ed7.msi
+ 2006-10-28 22:22 . 2006-10-28 22:22 428544 c:\windows\Installer\1d27b8.msi
+ 2006-06-13 21:12 . 2006-06-13 21:12 509440 c:\windows\Installer\1d2709.msp
+ 2008-12-08 07:58 . 2008-12-08 07:58 100352 c:\windows\Installer\137f0cb.msi
+ 2007-08-09 08:09 . 2007-08-09 08:09 166400 c:\windows\Installer\13798b.msi
+ 2009-06-15 15:01 . 2009-06-15 15:01 972800 c:\windows\Installer\11701c3d.msi
+ 2008-05-05 11:00 . 2008-05-05 11:00 163840 c:\windows\Installer\100e9ca.msi
+ 2008-05-05 10:58 . 2008-05-05 10:58 243712 c:\windows\Installer\100e9c4.msi
+ 2008-05-05 10:56 . 2008-05-05 10:56 988672 c:\windows\Installer\100e9bd.msi
+ 2008-05-05 10:49 . 2008-05-05 10:49 332288 c:\windows\Installer\100e9ab.msi
+ 2006-10-05 23:55 . 2006-10-05 23:55 313404 c:\windows\Downloaded Installations\CmdHere Powertoy For Windows XP.msi
+ 2008-04-29 10:09 . 2008-04-29 10:09 714752 c:\windows\Downloaded Installations\{ECF5B991-25E3-4F8F-8AF6-67647BEDCAE9}\Venue InterLok Driver Kit.msi
+ 1980-01-01 07:00 . 2004-07-17 18:35 1326080 c:\windows\system32\webfldrs.msi
+ 2007-05-25 00:08 . 2007-05-25 00:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2009-05-01 03:49 . 2009-05-01 03:49 4328960 c:\windows\Installer\fab4a7f.msp
+ 2009-04-24 00:31 . 2009-04-24 00:31 1425920 c:\windows\Installer\fab4a69.msp
+ 2009-03-05 03:40 . 2009-03-05 03:40 6819840 c:\windows\Installer\f75db2c.msp
+ 2008-01-14 03:54 . 2008-01-14 03:54 5505024 c:\windows\Installer\f4e89a.msp
+ 2008-01-14 03:53 . 2008-01-14 03:53 5213696 c:\windows\Installer\f4e886.msp
+ 2008-01-25 02:29 . 2008-01-25 02:29 5514752 c:\windows\Installer\f4e872.msp
+ 2007-04-25 03:09 . 2007-04-25 03:09 9944064 c:\windows\Installer\e9233d.msp
+ 2007-04-25 03:10 . 2007-04-25 03:10 6835712 c:\windows\Installer\e92328.msp
+ 2008-09-05 00:08 . 2008-09-05 00:08 5515776 c:\windows\Installer\dbe2e.msp
+ 2006-09-21 06:34 . 2006-09-21 06:34 1107968 c:\windows\Installer\d9fa.msi
+ 2006-09-21 06:32 . 2006-09-21 06:32 5454336 c:\windows\Installer\d9bf.msi
+ 2006-09-21 06:32 . 2006-10-05 23:46 2580480 c:\windows\Installer\d9af.msi
+ 2006-09-21 06:31 . 2006-09-21 06:31 1183232 c:\windows\Installer\d9a3.msi
+ 2006-10-30 04:10 . 2006-10-30 04:10 5864960 c:\windows\Installer\c4068.msp
+ 2009-02-11 02:02 . 2009-02-11 02:02 5519872 c:\windows\Installer\bf42b30.msp
+ 2008-04-18 02:26 . 2008-04-18 02:26 5518336 c:\windows\Installer\b7dd782.msp
+ 2008-04-01 02:33 . 2008-04-01 02:33 5479936 c:\windows\Installer\b7dd76d.msp
+ 2008-12-11 22:09 . 2008-12-11 22:09 5517824 c:\windows\Installer\b65a0.msp
+ 2009-06-14 10:14 . 2009-06-14 10:14 3682816 c:\windows\Installer\b41930a.msi
+ 2008-07-29 07:26 . 2008-07-29 07:26 1043456 c:\windows\Installer\b405322.msp
+ 2008-07-29 08:37 . 2008-07-29 08:37 2679808 c:\windows\Installer\b405320.msp
+ 2008-07-29 09:15 . 2008-07-29 09:15 3697664 c:\windows\Installer\b40531e.msp
+ 2008-07-29 07:34 . 2008-07-29 07:34 1448448 c:\windows\Installer\b40531d.msp
+ 2008-07-29 08:22 . 2008-07-29 08:22 4137984 c:\windows\Installer\b40531c.msp
+ 2008-07-29 07:18 . 2008-07-29 07:18 3376640 c:\windows\Installer\b40531b.msp
+ 2008-07-29 05:45 . 2008-07-29 05:45 2543616 c:\windows\Installer\b3a6ed2.msp
+ 2008-07-29 05:29 . 2008-07-29 05:29 2926080 c:\windows\Installer\b3a6ed1.msp
+ 2008-07-29 05:41 . 2008-07-29 05:41 6487040 c:\windows\Installer\b3a6ed0.msp
+ 2008-07-29 05:39 . 2008-07-29 05:39 3403264 c:\windows\Installer\b3a6ecf.msp
+ 2008-07-29 05:43 . 2008-07-29 05:43 1013248 c:\windows\Installer\b3a6ecd.msp
+ 2008-07-29 05:31 . 2008-07-29 05:31 6083072 c:\windows\Installer\b3a6eca.msp
+ 2008-11-26 05:04 . 2008-11-26 05:04 1396224 c:\windows\Installer\afa9c2.msi
+ 2007-09-10 05:01 . 2007-09-10 05:01 5488640 c:\windows\Installer\a45e1e.msp
+ 2007-07-23 04:40 . 2007-07-23 04:40 9945600 c:\windows\Installer\922a9b.msp
+ 2007-07-24 03:02 . 2007-07-24 03:02 5240320 c:\windows\Installer\922a86.msp
+ 2007-05-21 21:46 . 2007-05-21 21:46 6108672 c:\windows\Installer\922a71.msp
+ 2008-04-29 10:08 . 2008-04-29 10:08 2127872 c:\windows\Installer\87d3fd.msi
+ 2006-09-21 06:07 . 2006-09-21 06:07 3443712 c:\windows\Installer\7a3c2.msi
+ 2007-01-13 04:57 . 2007-01-13 04:57 2211328 c:\windows\Installer\79dc4f.msi
+ 2009-05-03 19:46 . 2009-05-03 19:46 8299008 c:\windows\Installer\667384.msp
+ 2009-05-12 01:01 . 2009-05-12 01:01 6818816 c:\windows\Installer\66737b.msp
+ 2009-04-24 00:30 . 2009-04-24 00:30 2583552 c:\windows\Installer\667366.msp
+ 2009-05-28 00:32 . 2009-05-28 00:32 5518848 c:\windows\Installer\66735c.msp
+ 2009-04-23 05:57 . 2009-04-23 05:57 7672832 c:\windows\Installer\667347.msp
+ 2007-05-24 23:55 . 2007-05-24 23:55 5265408 c:\windows\Installer\5ff55.msp
+ 2007-04-25 03:14 . 2007-04-25 03:14 9828864 c:\windows\Installer\5ff40.msp
+ 2007-11-01 09:33 . 2007-11-01 09:33 1155072 c:\windows\Installer\5e69fd8.msi
+ 2005-10-26 21:59 . 2005-10-26 21:59 2883072 c:\windows\Installer\5dd2a9b.msp
+ 2006-09-06 22:53 . 2006-09-06 22:53 5175808 c:\windows\Installer\5dd2a86.msp
+ 2008-01-30 21:30 . 2008-01-30 21:30 9947648 c:\windows\Installer\5bba04f.msp
+ 2008-02-15 01:57 . 2008-02-15 01:57 5517312 c:\windows\Installer\5766bdc.msp
+ 2008-10-24 20:15 . 2008-10-24 20:15 6227456 c:\windows\Installer\5232adb.msp
+ 2008-10-16 20:03 . 2008-10-16 20:03 5518336 c:\windows\Installer\5232ac6.msp
+ 2007-11-27 07:55 . 2007-11-27 07:55 1453568 c:\windows\Installer\50de1.msi
+ 2007-11-27 07:55 . 2007-11-27 07:55 1868800 c:\windows\Installer\50ddc.msi
+ 2007-11-27 07:53 . 2007-11-27 07:53 2892288 c:\windows\Installer\50dd2.msi
+ 2007-11-27 07:44 . 2007-11-27 07:44 5091840 c:\windows\Installer\50dcd.msi
+ 2007-11-27 07:33 . 2007-11-27 07:33 9278976 c:\windows\Installer\50dc9.msi
+ 2008-07-15 22:39 . 2008-07-15 22:39 5519360 c:\windows\Installer\4a1fac9d.msp
+ 2008-07-07 23:27 . 2008-07-07 23:27 8436736 c:\windows\Installer\4a1fac88.msp
+ 2006-10-12 18:50 . 2006-10-12 18:50 1091584 c:\windows\Installer\41d8ce.msp
+ 2006-10-06 23:15 . 2006-10-06 23:15 5185024 c:\windows\Installer\41d8b2.msp
+ 2007-06-19 03:48 . 2007-06-19 03:48 5247488 c:\windows\Installer\3e756.msp
+ 2007-06-05 02:48 . 2007-06-05 02:48 9944064 c:\windows\Installer\3e741.msp
+ 2008-11-17 00:54 . 2008-11-17 00:54 3443200 c:\windows\Installer\3b67d.msi
+ 2007-09-18 01:18 . 2007-09-18 01:18 5489152 c:\windows\Installer\37f3a.msp
+ 2007-11-15 23:58 . 2007-11-15 23:58 5495296 c:\windows\Installer\36538f.msp
+ 2007-11-07 22:42 . 2007-11-07 22:42 4158464 c:\windows\Installer\36537b.msp
+ 2007-01-24 00:05 . 2007-01-24 00:05 5228544 c:\windows\Installer\355838.msp
+ 2006-12-19 02:42 . 2006-12-19 02:42 6649856 c:\windows\Installer\35580e.msp
+ 2007-01-18 21:46 . 2007-01-18 21:46 6814208 c:\windows\Installer\3557ef.msp
+ 2006-12-17 22:48 . 2006-12-17 22:48 5444096 c:\windows\Installer\3557da.msp
+ 2007-01-23 18:48 . 2007-01-23 18:48 9804800 c:\windows\Installer\3557c5.msp
+ 2007-01-09 21:05 . 2007-01-09 21:05 9921024 c:\windows\Installer\3557b0.msp
+ 2006-11-20 03:37 . 2006-11-20 03:37 6553088 c:\windows\Installer\35579b.msp
+ 2008-04-18 23:25 . 2008-04-18 23:25 3283456 c:\windows\Installer\338a4f4.msi
+ 2008-04-18 23:23 . 2008-04-18 23:23 1635328 c:\windows\Installer\338a4ef.msi
+ 2008-04-18 23:23 . 2008-04-18 23:23 8984576 c:\windows\Installer\338a4ea.msi
+ 2008-04-18 23:20 . 2008-04-18 23:20 2793984 c:\windows\Installer\338a28a.msi
+ 2006-10-18 04:26 . 2006-10-18 04:26 5922816 c:\windows\Installer\3322bc2.msi
+ 2006-09-22 14:30 . 2006-09-22 14:30 7986176 c:\windows\Installer\2da94.msi
+ 2009-06-19 09:37 . 2009-06-19 09:37 4570624 c:\windows\Installer\2b9bfdc.msi
+ 2008-05-14 23:50 . 2008-05-14 23:50 5515776 c:\windows\Installer\2698c20.msp
+ 2008-10-22 09:43 . 2008-10-22 09:43 6820352 c:\windows\Installer\248fe78.msp
+ 2008-10-22 09:48 . 2008-10-22 09:48 7672832 c:\windows\Installer\248fe63.msp
+ 2008-11-05 01:25 . 2008-11-05 01:25 5518336 c:\windows\Installer\248fe4e.msp
+ 2007-01-13 05:37 . 2007-01-13 05:37 1306624 c:\windows\Installer\238c66.msi
+ 2008-06-19 05:28 . 2008-06-19 05:28 1573376 c:\windows\Installer\213a67e.msp
+ 2007-07-21 00:26 . 2007-07-21 00:26 7574016 c:\windows\Installer\213a652.msp
+ 2008-10-19 21:18 . 2008-10-19 21:18 6474240 c:\windows\Installer\213a64b.msp
+ 2006-10-17 03:11 . 2006-10-17 03:11 2447360 c:\windows\Installer\212763.msi
+ 2009-01-14 02:43 . 2009-01-14 02:43 5520384 c:\windows\Installer\20c191.msp
+ 2009-03-20 23:40 . 2009-03-20 23:40 1947648 c:\windows\Installer\1f2038cb.msi
+ 2008-06-11 03:05 . 2008-06-11 03:05 9994240 c:\windows\Installer\1ef750.msp
+ 2008-06-10 02:09 . 2008-06-10 02:09 5517312 c:\windows\Installer\1ef737.msp
+ 2007-11-01 20:30 . 2007-11-01 20:30 7554048 c:\windows\Installer\1e7c43.msp
+ 2006-11-13 23:22 . 2006-11-13 23:22 5248512 c:\windows\Installer\1d41ab.msp
+ 2006-09-11 19:19 . 2006-09-11 19:19 6253056 c:\windows\Installer\1d27b1.msp
+ 2006-09-19 23:13 . 2006-09-19 23:13 8272896 c:\windows\Installer\1d275d.msp
+ 2006-08-16 05:36 . 2006-08-16 05:36 5206528 c:\windows\Installer\1d2733.msp
+ 2006-07-18 00:11 . 2006-07-18 00:11 4578816 c:\windows\Installer\1d271f.msp
+ 2006-02-04 00:00 . 2006-02-04 00:00 9357824 c:\windows\Installer\1d26f3.msp
+ 2006-02-04 00:00 . 2006-02-04 00:00 4008448 c:\windows\Installer\1d26f2.msp
+ 2008-12-08 08:35 . 2008-12-08 08:35 6425600 c:\windows\Installer\1d06a9.msi
+ 2008-03-16 05:11 . 2008-03-16 05:11 5512704 c:\windows\Installer\1cef233.msp
+ 2008-03-15 07:16 . 2008-03-15 07:16 1539072 c:\windows\Installer\1bd1817.msi
+ 2008-05-19 06:29 . 2008-05-19 06:29 3236352 c:\windows\Installer\19b91.msi
+ 2008-08-14 03:01 . 2008-08-14 03:01 5517312 c:\windows\Installer\191b426.msp
+ 2009-04-06 05:00 . 2009-04-06 05:00 5518336 c:\windows\Installer\183782c8.msp
+ 2007-11-02 06:16 . 2007-11-02 06:16 1229824 c:\windows\Installer\166c57.msi
+ 2008-05-06 11:22 . 2008-05-06 11:22 7974912 c:\windows\Installer\116d769.msi
+ 2008-05-05 10:56 . 2008-05-05 10:56 5198848 c:\windows\Installer\100e9b6.msi
+ 2008-04-29 10:08 . 2008-11-17 00:51 5913088 c:\windows\Downloaded Installations\{0B582256-ADA3-4E85-99B9-02DB734B2BD2}\Sentinel Protection Installer 7.3.2.msi
+ 2006-10-06 00:17 . 2002-07-02 04:38 1325568 c:\windows\$NtServicePackUninstall$\webfldrs.msi
+ 2009-02-25 07:07 . 2009-02-25 07:07 11646464 c:\windows\Installer\f75db34.msp
+ 2008-01-14 02:24 . 2008-01-14 02:24 10721280 c:\windows\Installer\f4e85d.msp
+ 2008-01-14 03:50 . 2008-01-14 03:50 11887104 c:\windows\Installer\f4e848.msp
+ 2006-10-06 14:33 . 2006-10-06 14:33 21034496 c:\windows\Installer\ef411b.msi
+ 2008-04-14 02:26 . 2008-04-14 02:26 11888128 c:\windows\Installer\b7dd759.msp
+ 2009-06-14 10:32 . 2009-06-14 10:32 12904960 c:\windows\Installer\b419310.msi
+ 2008-08-13 01:49 . 2008-08-13 01:49 11816960 c:\windows\Installer\9c50d.msp
+ 2007-04-30 21:29 . 2007-04-30 21:29 10994688 c:\windows\Installer\5ff6a.msp
+ 2005-08-08 21:22 . 2005-08-08 21:22 48783360 c:\windows\Installer\5dd2a70.msp
+ 2008-01-30 20:45 . 2008-01-30 20:45 11565056 c:\windows\Installer\5766c07.msp
+ 2008-02-29 09:09 . 2008-02-29 09:09 16907776 c:\windows\Installer\5766bf2.msp
+ 2008-07-07 22:09 . 2008-07-07 22:09 11887616 c:\windows\Installer\4a1facb2.msp
+ 2008-06-30 21:25 . 2008-06-30 21:25 11814912 c:\windows\Installer\4a1fac4a.msp
+ 2008-03-16 23:48 . 2008-03-16 23:48 11813888 c:\windows\Installer\4727945.msp
+ 2007-07-13 22:50 . 2007-07-13 22:50 15256576 c:\windows\Installer\3e72d.msp
+ 2007-01-18 01:29 . 2007-01-18 01:29 10978816 c:\windows\Installer\355823.msp
+ 2008-10-19 21:22 . 2008-10-19 21:22 11758592 c:\windows\Installer\213a68e.msp
+ 2008-08-10 22:51 . 2008-08-10 22:51 15916544 c:\windows\Installer\213a686.msp
+ 2008-08-10 22:49 . 2008-08-10 22:49 22457344 c:\windows\Installer\213a675.msp
+ 2008-09-23 23:05 . 2008-09-23 23:05 16381440 c:\windows\Installer\213a66d.msp
+ 2007-10-14 10:33 . 2007-10-14 10:33 26646016 c:\windows\Installer\213a666.msp
+ 2006-09-13 05:44 . 2006-09-13 05:44 13737984 c:\windows\Installer\1d279c.msp
+ 2006-09-19 18:23 . 2006-09-19 18:23 12292096 c:\windows\Installer\1d2787.msp
+ 2006-09-12 23:59 . 2006-09-12 23:59 14482944 c:\windows\Installer\1d2772.msp
+ 2006-09-27 21:28 . 2006-09-27 21:28 10256384 c:\windows\Installer\1d2748.msp
+ 2006-10-28 22:18 . 2006-10-28 22:18 19210240 c:\windows\Installer\1d26cf.msp
+ 2008-07-29 20:50 . 2008-07-29 20:50 12506112 c:\windows\Installer\191b451.msp
+ 2008-06-04 01:29 . 2008-06-04 01:29 16905728 c:\windows\Installer\191b43c.msp
+ 2007-08-09 08:12 . 2007-08-09 08:12 10237952 c:\windows\Installer\137990.msi
+ 2006-09-22 14:51 . 2006-09-22 14:51 54668800 c:\windows\Downloaded Installations\{91C8C962-0850-4C84-9597-56BAE1BD614F}\Client Security Solution.msi
+ 2006-10-06 13:02 . 2007-06-10 23:57 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
+ 2006-10-17 06:48 . 2006-10-17 06:48 82264576 c:\windows\Downloaded Installations\{462CED12-459C-4FC5-8BF0-AB6D4B18F9E5}\Rescue and Recovery.msi
+ 2007-01-13 04:56 . 2007-01-13 04:56 17034240 c:\windows\Downloaded Installations\{25D23AE7-0A18-4894-A076-024E544772BA}\ACDSee for PENTAX 2.0.msi
+ 2007-07-26 21:03 . 2007-07-26 21:03 119977472 c:\windows\Installer\2072b83.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-2-13 493832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave5"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 8:04 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/21/2006 6:21 PM 58568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/21/2006 6:21 PM 15360]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [4/29/2008 10:09 PM 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/21/2006 8:44 PM 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/16/2005 8:11 AM 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/21/2006 6:21 PM 4433]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/21/2006 8:10 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [6/14/2007 9:20 PM 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [6/14/2007 9:20 PM 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/29/2008 11:38 PM 30946]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [7/15/2006 11:37 AM 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [7/10/2007 9:06 PM 55840]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-09-21 08:36]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-12 09:42]

2009-07-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]

2009-07-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-22 01:22]

2006-09-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-21 00:17]

2009-07-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 10:18]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{A93A4625-6216-499C-B360-BBD0A7C0D479} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.cn/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\NICKATTACK\Application Data\Mozilla\Firefox\Profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 15:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(872)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(6648)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\system32\TpShocks.exe
c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
c:\program files\Common Files\Symantec Shared\CCAPP.EXE
c:\program files\IBM\Messages By IBM\ibmmessages.exe
c:\windows\system32\dla\tfswctrl.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpScrLk.exe
c:\program files\ThinkPad\ConnectUtilities\ACTray.exe
c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\Logitech\QuickCam\Quickcam.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-07-10 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 03:51
ComboFix2.txt 2009-06-21 13:30
ComboFix3.txt 2009-06-18 23:49

Pre-Run: 3,112,116,224 bytes free
Post-Run: 3,092,439,040 bytes free

508 --- E O F --- 2009-07-10 02:48


---------------------------------------------------------------------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 10:32:24
Records in database: 2456303
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 157837
Threat name: 23
Infected objects: 49
Suspicious objects: 0
Duration of the scan: 03:02:33


File name / Threat name / Threats count
C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\disk.exe Infected: Trojan-Downloader.Win32.VB.hup 1
C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\nick's folder.exe Infected: Trojan-Downloader.Win32.VB.hup 1
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ATMQQ2.DLL.del Infected: Trojan-PSW.Win32.QQPass.ajx 1
C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.DLL.del Infected: Trojan-PSW.Win32.QQPass.zu 1
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Program Files\Internet Explorer\IEXPLORE32.DAT.del Infected: Trojan-Spy.Win32.Delf.cis 1
C:\Program Files\Internet Explorer\IEXPLORE32.SYS.del Infected: Trojan-Spy.Win32.Delf.cis 1
C:\Program Files\Internet Explorer\IEXPLORE32.WIN.del Infected: Trojan-Spy.Win32.Delf.cit 1
C:\Program Files\Norton AntiVirus\Quarantine\1E3235BB Infected: Trojan-Downloader.Win32.IstBar.ja 1
C:\Program Files\Norton AntiVirus\Quarantine\1E3235BB Infected: Trojan-Downloader.Win32.IstBar.nn 1
C:\Program Files\Norton AntiVirus\Quarantine\1F0E7C3C Infected: not-a-virus:AdWare.Win32.CommonName.b 1
C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\eAPI.fne.vir Infected: Trojan.Win32.Agent.aueo 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\SysWin74.Jmp.vir Infected: Trojan-PSW.Win32.QQPass.afp 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\WINSYS84.SYS.del.vir Infected: Trojan-PSW.Win32.QQPass.afp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\5599.EXE.vir Infected: Trojan-Downloader.Win32.Small.agqg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eAPI.fne.vir Infected: Trojan.Win32.Agent.aueo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\meex.com.vir Infected: Worm.Win32.AutoRun.dfq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\XP-04C704A7.EXE.vir Infected: Trojan-Downloader.Win32.VB.hup 1
C:\Qoobox\Quarantine\G\autorun.inf.vir Infected: Trojan-Downloader.Win32.VB.eql 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Worm.Win32.AutoRun.dfq 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.FlyStudio.iw 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.aiqt 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.akwn 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.anri 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.aowz 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.aqyc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan-Downloader.Win32.Small.agqg 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent.atsm 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.Agent2.fbg 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip Infected: Trojan.Win32.FlyStudio.ix 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131413.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131414.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131415.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131416.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131417.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131418.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131419.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP801\A0131420.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP803\A0131557.com Infected: Worm.Win32.AutoRun.dfq 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP803\A0131560.EXE Infected: Trojan-Downloader.Win32.VB.hup 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP803\A0131567.EXE Infected: Trojan-Downloader.Win32.Small.agqg 1
C:\WINDOWS\system32\2CDCF0.EXE Infected: Trojan.Win32.Agent.anri 1
C:\WINDOWS\system32\83FCCE7.EXE Infected: Trojan.Win32.Agent.aqyc 1
C:\WINDOWS\system32\8AC8571.EXE Infected: Trojan.Win32.Agent.atsm 1
C:\WINDOWS\system32\AN7B22C.EXE Infected: Trojan.Win32.Agent2.fbg 1
C:\WINDOWS\system32\AP7B22C.EXE Infected: Trojan.Win32.FlyStudio.iw 1
C:\WINDOWS\system32\BP7B22C.EXE Infected: Trojan.Win32.FlyStudio.ix 1
C:\WINDOWS\system32\GWTHTIS.EXE.del Infected: Worm.Win32.AutoRun.dfq 1
C:\WINDOWS\system32\SYBQNUB.EXE.del Infected: Worm.Win32.AutoRun.dfq 1

The selected area was scanned.
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 07:05 PM   #8 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
I have added the Kaspersky Scan results for my external hard drive also:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 00:48:44
Records in database: 2458385
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
G:\

Scan statistics:
Files scanned: 10002
Threat name: 3
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 00:17:01


File name / Threat name / Threats count
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP691\A0111961.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP691\A0111962.inf Infected: Trojan-Downloader.Win32.VB.eql 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP711\A0115646.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP711\A0115647.inf Infected: Trojan-Downloader.Win32.VB.eql 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP750\A0116605.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP802\A0131477.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP802\A0131478.inf Infected: Trojan-Downloader.Win32.VB.eql 1
G:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP803\A0131558.inf Infected: Trojan-Downloader.Win32.VB.eql 1
G:\bck-up\New Folder\A0068642.exe Infected: Worm.Win32.AutoRun.dfq 1
G:\wmv\System Volume Information.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\Recycled.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\.Trashes.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\RECYCLER.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\bck-up.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\System Volume Information.exe Infected: Trojan-Downloader.Win32.VB.hup 1
G:\wmv.exe Infected: Trojan-Downloader.Win32.VB.hup 1

The selected area was scanned.
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 07:30 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Hi niksgt,

Make sure your external drive is connected for this next step.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\disk.exe
C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\nick's folder.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ATMQQ2.DLL.del
C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.DLL.del
C:\Program Files\DAEMON Tools\SetupDTSB.exe
C:\Program Files\Internet Explorer\IEXPLORE32.DAT.del
C:\Program Files\Internet Explorer\IEXPLORE32.SYS.del
C:\Program Files\Internet Explorer\IEXPLORE32.WIN.del
C:\WINDOWS\system32\2CDCF0.EXE
C:\WINDOWS\system32\83FCCE7.EXE
C:\WINDOWS\system32\8AC8571.EXE
C:\WINDOWS\system32\AN7B22C.EXE
C:\WINDOWS\system32\AP7B22C.EXE
C:\WINDOWS\system32\BP7B22C.EXE
C:\WINDOWS\system32\GWTHTIS.EXE.del
C:\WINDOWS\system32\SYBQNUB.EXE.del
G:\bck-up\New Folder\A0068642.exe
G:\wmv\System Volume Information.exe
G:\Recycled.exe
G:\.Trashes.exe
G:\RECYCLER.exe
G:\bck-up.exe
G:\wmv.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 08:31 PM   #10 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Hi Ried,

Thanks for your quick reply - amazing!

I just ran a kaspersky scan on all my other drives. One more has infections detected, I've attached the kaspersky scan. I assume it would be best to add this to your script also, so I won't do anything until I hear back from you.

Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 03:04:07
Records in database: 2458848
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
F:\

Scan statistics:
Files scanned: 679
Threat name: 2
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 00:00:45


File name / Threat name / Threats count
F:\autorun.inf Infected: Trojan-Downloader.Win32.VB.eql 1
F:\MEM STICK\.Spotlight-V100.exe Infected: Trojan-Downloader.Win32.VB.hup 1
F:\MEM STICK\.Trashes.exe Infected: Trojan-Downloader.Win32.VB.hup 1
F:\MEM STICK\council.exe Infected: Trojan-Downloader.Win32.VB.hup 1
F:\MEM STICK\Nick's disk.exe Infected: Trojan-Downloader.Win32.VB.hup 1
F:\MEM STICK\pdf.exe Infected: Trojan-Downloader.Win32.VB.hup 1
F:\Recycled.exe Infected: Trojan-Downloader.Win32.VB.hup 1

The selected area was scanned.
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 09:15 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Here you go.

Make sure both of those drives are connected or the script will fail to delete those files.

Open notepad and copy/paste the text in the code box below into it:

Quote:

C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\disk.exe
C:\Documents and Settings\NICKATTACK\Desktop\back from celia's comp\nd\nick's folder.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ATMQQ2.DLL.del
C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.DLL.del
C:\Program Files\DAEMON Tools\SetupDTSB.exe
C:\Program Files\Internet Explorer\IEXPLORE32.DAT.del
C:\Program Files\Internet Explorer\IEXPLORE32.SYS.del
C:\Program Files\Internet Explorer\IEXPLORE32.WIN.del
C:\WINDOWS\system32\2CDCF0.EXE
C:\WINDOWS\system32\83FCCE7.EXE
C:\WINDOWS\system32\8AC8571.EXE
C:\WINDOWS\system32\AN7B22C.EXE
C:\WINDOWS\system32\AP7B22C.EXE
C:\WINDOWS\system32\BP7B22C.EXE
C:\WINDOWS\system32\GWTHTIS.EXE.del
C:\WINDOWS\system32\SYBQNUB.EXE.del
G:\bck-up\New Folder\A0068642.exe
G:\wmv\System Volume Information.exe
G:\Recycled.exe
G:\.Trashes.exe
G:\RECYCLER.exe
G:\bck-up.exe
G:\wmv.exe
F:\autorun.inf
F:\MEM STICK\.Spotlight-V100.exe
F:\MEM STICK\.Trashes.exe
F:\MEM STICK\council.exe
F:\MEM STICK\Nick's disk.exe
F:\MEM STICK\pdf.exe
F:\Recycled.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that log here for further review, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 02:37 AM   #12 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Great, thanks!

Combofix.txt is below.

The missing folders have returned to my external hard drives, although the .exe files are still there (eg. the folder 'bck-up' has returned but bck-up.exe still exists). Should I delete these?

Best wishes


ComboFix 09-07-09.06 - NICKATTACK 07/11/2009 15:33.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.575 [GMT 12:00]
Running from: c:\documents and settings\NICKATTACK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NICKATTACK\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-06-20 15:00 . 2009-06-20 15:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-06-19 09:37 . 2009-06-19 09:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\program files\Logitech
2009-06-18 08:17 . 2009-07-03 03:19 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\WMTools Downloaded Files
2009-06-16 03:43 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Autodesk
2009-06-16 02:08 . 2009-06-16 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 02:07 . 2009-06-16 02:07 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\Autodesk
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-14 10:30 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-14 10:27 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-14 10:14 . 2009-06-14 10:33 -------- d-----w- c:\program files\Autodesk
2009-06-14 10:13 . 2008-07-30 22:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-06-14 10:13 . 2008-07-30 22:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-06-14 10:13 . 2008-07-30 22:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-06-14 10:13 . 2008-07-11 20:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-06-14 10:13 . 2007-05-16 04:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-06-14 10:13 . 2006-11-29 01:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-06-14 10:13 . 2006-09-28 04:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- c:\windows\Logs
2009-06-14 10:12 . 2009-06-17 05:08 258584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\MSBuild
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\Reference Assemblies
2009-06-14 10:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-14 10:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 10:10 . 2009-06-14 10:11 -------- d-----w- C:\9d3084bc6b5eda843311eef063d0
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 10:09 . 2009-06-17 05:09 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-14 10:05 . 2009-06-14 10:05 -------- d-----w- c:\program files\MSXML 6.0
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- C:\Autodesk
2009-06-12 11:07 . 2009-06-14 00:31 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 13:31 . 2008-11-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-10 09:09 . 2008-12-09 04:26 -------- d-----w- c:\program files\DVDlabPro2
2009-07-10 02:06 . 2006-11-12 02:11 -------- d-----w- c:\program files\Soulseek
2009-07-01 03:52 . 2006-10-29 00:41 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\AdobeUM
2009-06-30 06:59 . 2007-11-02 06:22 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Skype
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-22 03:50 . 2008-10-08 01:21 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\foobar2000
2009-06-18 01:34 . 2008-02-22 08:19 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Azureus
2009-06-17 04:35 . 2008-10-19 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 03:44 . 2006-09-22 04:40 79080 ----a-w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 23:04 . 2006-11-08 07:36 -------- d-----w- c:\program files\Last.fm
2009-05-25 14:50 . 2008-02-22 08:16 -------- d-----w- c:\program files\Azureus
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-05-23 12:12 . 2009-05-23 11:05 -------- d-----w- c:\program files\Macromedia
2009-05-23 12:12 . 2006-09-21 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-10-06 00:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-05-06 16:42 . 2006-10-26 01:20 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-10_03.44.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-06 13:02 . 2009-07-10 04:38 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
- 2006-10-06 13:02 . 2007-06-10 23:57 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 581632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 394752]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 581632]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-10-05 100056]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-12-17 102400]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-2-13 493832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave5"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 8:04 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/21/2006 6:21 PM 58568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/21/2006 6:21 PM 15360]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [4/29/2008 10:09 PM 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/21/2006 8:44 PM 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/16/2005 8:11 AM 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/21/2006 6:21 PM 4433]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/21/2006 8:10 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [6/14/2007 9:20 PM 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [6/14/2007 9:20 PM 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/29/2008 11:38 PM 30946]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [7/15/2006 11:37 AM 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [7/10/2007 9:06 PM 55840]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-09-21 08:36]

2009-07-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-12 09:42]

2009-07-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]

2009-07-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-22 01:22]

2006-09-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-21 00:17]

2009-07-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 10:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.cn/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\NICKATTACK\Application Data\Mozilla\Firefox\Profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(868)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(6252)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-07-11 15:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 03:59
ComboFix2.txt 2009-07-10 03:51
ComboFix3.txt 2009-06-21 13:30
ComboFix4.txt 2009-06-18 23:49

Pre-Run: 20,121,239,552 bytes free
Post-Run: 20,189,478,912 bytes free

286 --- E O F --- 2009-07-10 02:48
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 02:42 AM   #13 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Great, thanks!

Combofix.txt is below.

The missing folders have returned to my external hard drives, although the .exe files are still there (eg. the folder 'bck-up' has returned but bck-up.exe still exists). Should I delete these?

Best wishes


ComboFix 09-07-09.06 - NICKATTACK 07/11/2009 15:33.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.575 [GMT 12:00]
Running from: c:\documents and settings\NICKATTACK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NICKATTACK\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-06-20 15:00 . 2009-06-20 15:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-06-19 09:37 . 2009-06-19 09:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\program files\Logitech
2009-06-18 08:17 . 2009-07-03 03:19 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\WMTools Downloaded Files
2009-06-16 03:43 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Autodesk
2009-06-16 02:08 . 2009-06-16 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 02:07 . 2009-06-16 02:07 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\Autodesk
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-14 10:30 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-14 10:27 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-14 10:14 . 2009-06-14 10:33 -------- d-----w- c:\program files\Autodesk
2009-06-14 10:13 . 2008-07-30 22:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-06-14 10:13 . 2008-07-30 22:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-06-14 10:13 . 2008-07-30 22:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-06-14 10:13 . 2008-07-11 20:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-06-14 10:13 . 2007-05-16 04:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-06-14 10:13 . 2006-11-29 01:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-06-14 10:13 . 2006-09-28 04:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- c:\windows\Logs
2009-06-14 10:12 . 2009-06-17 05:08 258584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\MSBuild
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\Reference Assemblies
2009-06-14 10:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-14 10:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 10:10 . 2009-06-14 10:11 -------- d-----w- C:\9d3084bc6b5eda843311eef063d0
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 10:09 . 2009-06-17 05:09 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-14 10:05 . 2009-06-14 10:05 -------- d-----w- c:\program files\MSXML 6.0
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- C:\Autodesk
2009-06-12 11:07 . 2009-06-14 00:31 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 13:31 . 2008-11-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-10 09:09 . 2008-12-09 04:26 -------- d-----w- c:\program files\DVDlabPro2
2009-07-10 02:06 . 2006-11-12 02:11 -------- d-----w- c:\program files\Soulseek
2009-07-01 03:52 . 2006-10-29 00:41 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\AdobeUM
2009-06-30 06:59 . 2007-11-02 06:22 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Skype
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-22 03:50 . 2008-10-08 01:21 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\foobar2000
2009-06-18 01:34 . 2008-02-22 08:19 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Azureus
2009-06-17 04:35 . 2008-10-19 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 03:44 . 2006-09-22 04:40 79080 ----a-w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 23:04 . 2006-11-08 07:36 -------- d-----w- c:\program files\Last.fm
2009-05-25 14:50 . 2008-02-22 08:16 -------- d-----w- c:\program files\Azureus
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-05-23 12:12 . 2009-05-23 11:05 -------- d-----w- c:\program files\Macromedia
2009-05-23 12:12 . 2006-09-21 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-10-06 00:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-05-06 16:42 . 2006-10-26 01:20 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-10_03.44.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-06 13:02 . 2009-07-10 04:38 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
- 2006-10-06 13:02 . 2007-06-10 23:57 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 581632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 394752]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 581632]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-10-05 100056]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-12-17 102400]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-2-13 493832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave5"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 8:04 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/21/2006 6:21 PM 58568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/21/2006 6:21 PM 15360]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [4/29/2008 10:09 PM 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/21/2006 8:44 PM 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/16/2005 8:11 AM 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/21/2006 6:21 PM 4433]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/21/2006 8:10 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [6/14/2007 9:20 PM 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [6/14/2007 9:20 PM 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/29/2008 11:38 PM 30946]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [7/15/2006 11:37 AM 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [7/10/2007 9:06 PM 55840]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-09-21 08:36]

2009-07-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-12 09:42]

2009-07-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]

2009-07-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-22 01:22]

2006-09-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-21 00:17]

2009-07-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 10:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.cn/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\NICKATTACK\Application Data\Mozilla\Firefox\Profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(868)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(6252)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-07-11 15:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 03:59
ComboFix2.txt 2009-07-10 03:51
ComboFix3.txt 2009-06-21 13:30
ComboFix4.txt 2009-06-18 23:49

Pre-Run: 20,121,239,552 bytes free
Post-Run: 20,189,478,912 bytes free

286 --- E O F --- 2009-07-10 02:48
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 08:37 AM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Quote:
The missing folders have returned to my external hard drives, although the .exe files are still there (eg. the folder 'bck-up' has returned but bck-up.exe still exists). Should I delete these?
How many of these .exe files are there? Can you list them all out for me?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 05:24 PM   #15 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Yep, they are:

G:\.Trashes.exe
G:\bck-up.exe
G:\RECYCLER.exe
G:\System Volume Information.exe
G:\wmv.exe

All five had appeared as .exe 'folders' on the hard drive and would initiate a virus if opened - I haven't tested if they still do this. 'wmv' and 'bck-up' were the only ones that were visible folders prior to this. Now all five have re-appeared as hidden folders, but the .exe file/folders are still there. Hope that is clear!

Best wishes,
N
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 11:55 PM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Thanks. Do not try to open them, I'll take a look at them.

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/386275-firefox-browser-hijack-flash-drive-folders-becoming-exe.html#post2235155

Suspect::
G:\.Trashes.exe
G:\bck-up.exe
G:\RECYCLER.exe
G:\System Volume Information.exe
G:\wmv.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Post the ComboFix.txt please.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-12-2009, 07:11 PM   #17 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
Thanks, I followed the instructions but the last step didn't seem to occur - at least the message box didn't open. Hopefully the files were submitted?


ComboFix 09-07-12.03 - NICKATTACK 07/13/2009 12:40.8.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.539 [GMT 12:00]
Running from: c:\documents and settings\NICKATTACK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NICKATTACK\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}

file zipped: G:\.Trashes.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-06-20 15:00 . 2009-06-20 15:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-06-19 09:37 . 2009-06-19 09:40 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-06-19 09:37 . 2009-06-19 09:37 -------- d-----w- c:\program files\Logitech
2009-06-18 08:17 . 2009-07-03 03:19 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\WMTools Downloaded Files
2009-06-16 03:43 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Autodesk
2009-06-16 02:08 . 2009-06-16 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 02:07 . 2009-06-16 02:07 -------- d-----w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\Autodesk
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-14 10:30 . 2009-06-14 10:32 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-14 10:27 . 2009-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-14 10:14 . 2009-06-14 10:33 -------- d-----w- c:\program files\Autodesk
2009-06-14 10:13 . 2008-07-30 22:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-06-14 10:13 . 2008-07-30 22:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-06-14 10:13 . 2008-07-30 22:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-06-14 10:13 . 2008-07-11 20:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-06-14 10:13 . 2008-07-11 20:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-06-14 10:13 . 2007-05-16 04:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-06-14 10:13 . 2007-05-16 04:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-06-14 10:13 . 2006-11-29 01:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-06-14 10:13 . 2006-09-28 04:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- c:\windows\Logs
2009-06-14 10:12 . 2009-06-17 05:08 258584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\MSBuild
2009-06-14 10:11 . 2009-06-14 10:11 -------- d-----w- c:\program files\Reference Assemblies
2009-06-14 10:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-14 10:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-14 10:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-14 10:10 . 2009-06-14 10:11 -------- d-----w- C:\9d3084bc6b5eda843311eef063d0
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-14 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-14 10:09 . 2009-06-17 05:09 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-14 10:05 . 2009-06-14 10:05 -------- d-----w- c:\program files\MSXML 6.0
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- C:\Autodesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 00:33 . 2008-11-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-10 09:09 . 2008-12-09 04:26 -------- d-----w- c:\program files\DVDlabPro2
2009-07-10 02:06 . 2006-11-12 02:11 -------- d-----w- c:\program files\Soulseek
2009-07-01 03:52 . 2006-10-29 00:41 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\AdobeUM
2009-06-30 06:59 . 2007-11-02 06:22 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Skype
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-30 06:54 . 2009-06-19 09:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-22 03:50 . 2008-10-08 01:21 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\foobar2000
2009-06-18 01:34 . 2008-02-22 08:19 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Azureus
2009-06-17 04:35 . 2008-10-19 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 03:44 . 2006-09-22 04:40 79080 ----a-w- c:\documents and settings\NICKATTACK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 00:31 . 2009-06-12 11:07 -------- d-----w- c:\documents and settings\NICKATTACK\Application Data\Download Manager
2009-06-06 23:04 . 2006-11-08 07:36 -------- d-----w- c:\program files\Last.fm
2009-05-25 14:50 . 2008-02-22 08:16 -------- d-----w- c:\program files\Azureus
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-05-23 12:13 . 2009-05-23 12:13 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-05-23 12:12 . 2009-05-23 11:05 -------- d-----w- c:\program files\Macromedia
2009-05-23 12:12 . 2006-09-21 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 18:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-10-06 00:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-05-06 16:42 . 2006-10-26 01:20 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-10_03.44.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-06 13:02 . 2009-07-10 04:38 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
- 2006-10-06 13:02 . 2007-06-10 23:57 90358784 c:\windows\Downloaded Installations\{624FE5AF-1F31-404F-A9CC-3D451530446A}\Rescue and Recovery - Client Security Solution.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 581632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 394752]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 581632]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-10-05 100056]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-12-17 102400]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-2-13 493832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave5"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NICKATTACK^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\NICKATTACK\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 8:04 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/21/2006 6:21 PM 58568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/21/2006 6:21 PM 15360]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [4/29/2008 10:09 PM 11776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/21/2006 8:44 PM 12544]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/16/2005 8:11 AM 46142]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/21/2006 6:21 PM 4433]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/21/2006 8:10 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 koreavs;koreavs;c:\windows\system32\drivers\koreavs.sys [6/14/2007 9:20 PM 25088]
S3 koreusb;koreusb;c:\windows\system32\drivers\koreusb.sys [6/14/2007 9:20 PM 82944]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [5/29/2008 11:38 PM 30946]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [7/15/2006 11:37 AM 14336]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [7/10/2007 9:06 PM 55840]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-09-21 08:36]

2009-07-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-12 09:42]

2009-07-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 06:20]

2009-07-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-22 01:22]

2006-09-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-21 00:17]

2009-07-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 10:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.cn/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\NICKATTACK\Application Data\Mozilla\Firefox\Profiles\f1sqrupv.default\
FF - prefs.js: browser.startup.homepage - www.blackle.co.nz
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 12:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000030346BABE08C5EC8CC 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(7216)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-07-13 12:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 00:57
ComboFix2.txt 2009-07-11 03:59
ComboFix3.txt 2009-07-10 03:51
ComboFix4.txt 2009-06-21 13:30
ComboFix5.txt 2009-07-13 00:37

Pre-Run: 20,153,356,288 bytes free
Post-Run: 20,145,717,248 bytes free

288 --- E O F --- 2009-07-10 02:48
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-12-2009, 10:06 PM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
You are correct, the file was not uploaded. It only picked up on one file out of that script. Are the others actually folders?

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-12-2009, 10:54 PM   #19 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 20
OS: Windows XP, SP 2


Re: Firefox browser hijack and flash drive folders becoming .exe
I'm not sure if they're folders ... They have folder icons however Explorer defines them as type 'application.' Previously, and again I haven't re-checked this since we've run Combofix, opening this folder/application would open both the folder and initiate a virus.

Thanks.

2009-07-13 00:50:54 . 2009-07-13 00:50:56 539,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\temp\logishrd\_LVPrcInj01_.dll.zip
2009-07-13 00:39:07 . 2009-07-13 00:40:27 1,404,810 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2009-07-13_12.38.54.zip
2009-07-11 08:18:20 . 2008-02-05 06:20:30 109,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\temp\logishrd\LVPrcInj01.dll.vir
2009-07-10 03:05:48 . 2009-07-10 03:05:50 154,651 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2009-07-10_15.05.00.zip
2009-06-18 12:22:12 . 2009-07-10 03:50:48 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{A93A4625-6216-499C-B360-BBD0A7C0D479}.reg.dat
2009-06-18 12:22:04 . 2009-06-18 12:22:04 136 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-XP-04C704A7.reg.dat
2009-06-18 12:22:04 . 2009-06-18 12:22:04 128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-udjudwq.reg.dat
2009-06-18 12:22:04 . 2009-06-18 12:22:04 128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-oxbvpen.reg.dat
2009-06-18 12:22:04 . 2009-06-18 12:22:04 161 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-DigidesignMMERefresh.reg.dat
2009-06-18 12:22:02 . 2009-06-18 12:22:02 145 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-BMMLREF.reg.dat
2009-06-18 12:20:59 . 2009-06-18 00:24:50 154 ----a-w- C:\Qoobox\Quarantine\G\autorun.inf.vir
2009-06-18 11:21:29 . 2009-07-13 00:45:51 7,005 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-06-18 11:11:43 . 2009-07-13 00:51:05 2,628 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-06-17 05:13:30 . 2009-06-17 05:13:30 1,514,733 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\XP-04C704A7.EXE.vir
2009-04-19 01:18:05 . 2009-06-18 11:15:50 636 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NICKATTACK\Start Menu\Programs\Startup\กกกกกก.lnk.vir
2009-03-10 21:27:01 . 2009-07-10 03:05:47 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wtitoreg.exe.vir
2009-03-08 2216 . 2009-07-10 03:05:50 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wtmtoreg.exe.vir
2009-03-04 21:38:40 . 2009-07-10 03:05:12 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wemtoreg.exe.vir
2009-03-04 05:50:35 . 2009-03-04 05:50:35 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wemtareg.exe.vir
2009-02-21 00:31:40 . 2009-07-10 03:05:15 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wimtareg.exe.vir
2009-02-19 20:13:01 . 2009-07-10 03:05:19 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wimzareg.exe.vir
2008-12-16 03:26:42 . 2009-07-10 03:05:44 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winzcreg.exe.vir
2008-12-09 20:39:41 . 2009-07-10 03:05:41 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winxcreg.exe.vir
2008-12-04 07:58:29 . 2008-12-04 21:46:36 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\5599.EXE.vir
2008-12-04 07:58:25 . 2009-07-10 03:05:39 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winucreg.exe.vir
2008-11-25 20:08:26 . 2009-07-10 03:05:36 16,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winscreg.exe.vir
2008-11-21 00:57:56 . 2009-07-10 03:05:32 16,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winrcreg.exe.vir
2008-11-13 03:49:51 . 2009-07-10 03:05:29 15,872 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winqcreg.exe.vir
2008-10-25 18:01:54 . 2009-07-10 03:05:26 15,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winncreg.exe.vir
2008-10-15 00:07:04 . 2009-07-10 03:05:22 15,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winmcreg.exe.vir
2008-10-14 08:11:21 . 2008-10-14 08:11:05 73,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\spec.fne.vir
2008-10-14 08:11:21 . 2008-10-14 08:10:38 40,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\shell.fne.vir
2008-10-14 08:11:20 . 2008-10-14 08:11:06 217,088 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\RegEx.fnr.vir
2008-10-14 08:11:17 . 2008-10-14 08:10:34 1,097,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\krnln.fnr.vir
2008-10-14 08:11:16 . 2008-10-14 08:11:04 184,320 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\internet.fne.vir
2008-10-14 08:11:13 . 2008-10-14 08:11:00 323,584 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\eAPI.fne.vir
2008-10-14 08:11:12 . 2008-10-14 08:11:08 114,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dp1.fne.vir
2008-10-14 08:11:11 . 2008-10-14 08:11:08 270,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\com.run.vir
2008-10-14 08:11:10 . 2009-06-18 11:17:53 782 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\og.dll.vir
2008-10-14 08:11:10 . 2009-06-17 16:28:34 1,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\og.EDT.vir
2008-10-14 08:11:10 . 2009-06-18 11:15:48 2,404 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ul.dll.vir
2008-10-14 08:10:44 . 2009-06-17 05:13:21 270,336 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\com.run.vir
2008-10-14 08:10:43 . 2009-06-17 05:13:19 114,688 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\dp1.fne.vir
2008-10-14 08:10:42 . 2009-06-17 05:13:34 217,088 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\RegEx.fnr.vir
2008-10-14 08:10:42 . 2009-06-17 05:19:11 73,728 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\spec.fne.vir
2008-10-14 08:10:41 . 2009-06-17 05:13:34 184,320 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\internet.fne.vir
2008-10-14 08:10:38 . 2009-06-17 05:13:34 323,584 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\eAPI.fne.vir
2008-10-14 08:10:38 . 2009-06-17 05:13:10 40,960 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\shell.fne.vir
2008-10-14 08:10:34 . 2009-06-17 05:13:08 1,097,728 ----a-w- C:\Qoobox\Quarantine\C\DOCUME~1\NICKAT~1\LOCALS~1\Temp\E_4\krnln.fnr.vir
2008-05-29 11:36:50 . 2008-05-29 11:36:50 2 ----atw- C:\Qoobox\Quarantine\C\WINDOWS\winstart.bat.vir
2008-05-29 05:18:54 . 2008-05-29 05:18:54 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\88.exe.vir
2008-05-29 05:18:46 . 2008-05-29 05:18:46 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\77.exe.vir
2008-05-29 05:18:42 . 2008-05-29 05:18:42 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\66.exe.vir
2007-10-06 07:59:10 . 2008-05-29 05:27:06 27,292 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.jmp.vir
2007-10-03 08:13:12 . 2007-11-13 08:30:22 45,172 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\WINSYS84.SYS.del.vir
2007-10-03 08:13:11 . 2007-11-13 08:30:17 32,372 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\SysWin74.Jmp.vir
2007-09-11 09:43:14 . 2008-05-29 05:19:08 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\1010.exe.vir
2007-09-11 09:43:04 . 2008-05-29 05:19:02 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\99.exe.vir
2007-09-08 04:26:13 . 2008-05-29 05:18:32 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\55.exe.vir
2007-09-08 04:26:09 . 2008-05-29 05:18:27 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\44.exe.vir
2007-09-08 04:26:05 . 2008-05-29 05:18:17 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\33.exe.vir
2007-09-08 04:26:02 . 2008-05-29 05:18:10 302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\22.exe.vir
2007-08-29 08:48:53 . 2004-08-04 07:56:56 42,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sexit.dat.vir
2007-08-28 20:09:20 . 2007-05-23 04:23:56 46,526 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\meex.com.vir
2007-08-28 20:09:18 . 2009-07-10 03:05:07 46,526 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sybqnub.exe.ren.vir
2006-09-22 14:51:05 . 2006-09-22 14:51:05 54,668,800 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\62f4a.msi.vir
niksgt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-12-2009, 10:59 PM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Firefox browser hijack and flash drive folders becoming .exe
Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-07-13_12.38.54.zip

Click 'Send File'

===========================

I really don't want you to click on those. Open notepad and copy/paste the text in the code box below into it:

Quote:

DirLook::
G:\bck-up.exe
G:\RECYCLER.exe
G:\System Volume Information.exe
G:\wmv.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:05 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85