WiredWX Hobby Weather ToolsLog in

 


Computer hijacked

2 posters

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
As requested and is there anyway u can tell me if i missed copy and pasting these code lines?
c:\program files\QuickTime\qttask .exe
c:\program files\Windows Defender\msascui .exe

I am not sure I included them because I didn't see them till after I started everything


ComboFix 10-04-21.01 - User 04/21/2010 14:39:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2422 [GMT -4]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\42156.dat"
"c:\program files\6413406.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\42156.dat
c:\program files\6413406.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-21 18:39 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.

Code:

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-21 15:04:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 19:04
ComboFix2.txt 2010-04-21 18:29
ComboFix3.txt 2010-04-21 03:56
ComboFix4.txt 2010-04-20 23:06

Pre-Run: 101,713,883,136 bytes free
Post-Run: 101,771,997,184 bytes free

- - End Of File - - C6031105B101C1BC418D08DC71DA4AE5

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    KILLALL::

    RenV::
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"=-

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Computer hijacked - Page 3 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
ComboFix 10-04-21.01 - User 04/22/2010 0:35.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2628 [GMT -4:00]
Running from: c:\geek police stuff\Combo-Fix.exe
Command switches used :: c:\geek police stuff\CFscript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-21 19:12 . 2010-04-21 19:12 -------- d-----w- C:\Combo-Fix29733C
2010-04-21 18:03 . 2010-04-21 18:31 -------- d-----w- C:\Combo-Fix11551C
2010-04-20 19:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 19:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 18:35 . 2010-04-20 18:35 -------- d-----w- C:\_OTL
2010-04-18 00:02 . 2010-04-18 00:05 -------- d-----w- C:\Avast Stuff
2010-04-17 19:47 . 2010-04-17 19:53 -------- d-----w- C:\Combo-Fix
2010-04-17 19:06 . 2010-04-17 19:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 19:05 . 2010-04-17 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 19:05 . 2010-04-17 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 19:04 . 2010-04-19 06:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 19:01 . 2010-04-17 19:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-17 15:38 . 2010-04-22 04:34 -------- d-----w- C:\geek police stuff
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\avG
2010-04-16 23:24 . 2010-04-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-14 13:48 . 2010-04-14 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-11 19:46 . 2010-04-11 19:47 -------- d-----w- c:\program files\Google
2010-04-10 20:12 . 2001-08-18 02:36 110621 -c--a-w- c:\windows\system32\dllcache\digirlpt.dll
2010-04-10 20:12 . 2001-08-18 02:36 110621 ----a-w- c:\windows\system32\digirlpt.dll
2010-04-10 20:12 . 2001-08-17 16:17 42432 -c--a-w- c:\windows\system32\dllcache\digirlpt.sys
2010-04-10 20:12 . 2001-08-17 16:17 42432 ----a-w- c:\windows\system32\drivers\digirlpt.sys
2010-04-07 19:05 . 2010-04-07 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 20:59 . 2010-04-17 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-31 06:00 . 2010-03-31 06:00 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-03-27 18:29 . 2010-03-27 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-03-23 14:30 . 2010-04-18 18:44 -------- d-----w- c:\program files\QuickTime
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\program files\Apple Software Update
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 14:29 . 2010-03-23 14:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 18:39 . 2009-05-23 01:43 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-21 17:13 . 2009-05-25 02:32 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-20 22:36 . 2010-04-17 20:34 8704 --sha-w- c:\program files\Thumbs.db
2010-04-20 19:55 . 2009-08-03 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 00:11 . 2009-05-25 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-17 03:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-16 23:33 . 2009-07-07 02:02 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-04-16 20:09 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-04-14 16:47 . 2010-04-18 00:06 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-18 00:06 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:37 . 2010-04-18 00:06 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-04-14 16:37 . 2010-04-18 00:06 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-04-14 16:36 . 2010-04-18 00:06 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-04-14 16:35 . 2010-04-18 00:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-18 00:06 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-18 00:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-18 00:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-18 00:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-18 00:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-18 00:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 21:01 . 2009-05-23 01:31 -------- d-----w- c:\program files\Alwil Software
2010-03-26 14:33 . 2010-04-14 23:25 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-14 23:25 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-14 23:25 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-14 23:25 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-20 20:46 . 2009-05-24 23:42 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-19 14:27 . 2009-05-23 01:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 05:31 . 2010-03-17 05:31 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 17:20 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:12 . 2009-05-25 01:40 -------- d-----w- c:\documents and settings\User\Application Data\SoapMakerData
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\program files\SoapMaker3
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-20 03:49 . 2009-05-24 23:15 306 ----a-w- c:\program files\Shortcut to My Documents.lnk
2004-07-06 17:54 . 2007-05-22 20:10 1241088 ----a-w- c:\program files\PGE_PlugIn.8bf
1998-05-31 04:00 . 1998-05-31 04:00 295696 ----a-w- c:\program files\Common Files\MSJTOR35.DLL
2009-05-24 23:42 . 2009-05-24 23:42 88 --sh--r- c:\windows\system32\16071871B6.sys
.

Code:

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Fraps"="c:\fraps\FRAPS.EXE" [2010-03-31 2181040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [4/17/2010 8:06 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [4/17/2010 8:06 PM 196048]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [4/17/2010 8:06 PM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2010 8:06 PM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 8:06 PM 162768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 8:06 PM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [4/17/2010 8:06 PM 119200]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 3:46 PM 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [4/10/2010 4:12 PM 42432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 19:46]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-602162358-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-20 19:46]

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qvr1ntkg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 00:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-04-22 01:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 05:06
ComboFix2.txt 2010-04-21 19:46
ComboFix3.txt 2010-04-21 19:04
ComboFix4.txt 2010-04-21 18:29
ComboFix5.txt 2010-04-22 04:29

Pre-Run: 101,790,699,520 bytes free
Post-Run: 101,805,592,576 bytes free

- - End Of File - - C9F6AA75F0219AFF2304430018BFBB6C

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
========== FILES ==========
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe moved successfully.

OTM by OldTimer - Version 3.1.10.2 log created on 04222010_141844

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Okay, now locate this file:

c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

Remove the space between the M and the .

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Okay I see it in my system, do u mean just rename it by removing the space between the M and the . ?

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Yes, there is an extra space there, so remove it.

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
done as requested

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Okay, next.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 06:57:18
# local_time=2010-04-23 02:57:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22017837 22017837 0 0
# compatibility_mode=768 16777191 100 0 1319302 1319302 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298363
# found=1
# cleaned=1
# scan_time=8827
C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DSW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85c3d03e9a417645bc8a5d401379b993
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-23 12:30:53
# local_time=2010-04-23 08:30:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 22031417 22031417 0 0
# compatibility_mode=768 16777191 100 0 1336482 1336482 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=298369
# found=0
# cleaned=0
# scan_time=15262

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
Thank you so much my computer seems to be working just fine thanks to you guys.

You guys rock Hooray!

descriptionComputer hijacked - Page 3 EmptyRe: Computer hijacked

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum