« previous next »
Pages: 1 [2]

Author Topic: iexpolore.exe and malware defense trojan  (Read 2578 times)

Offline rkthak

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
iexpolore.exe and malware defense trojan
« Reply #20 on: January 28, 2010, 03:16:29 PM »
ComboFix 10-01-27.06 - HP_Owner 01/28/2010  13:51:47.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.539 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\h8srtmainqt.dll
c:\recycler\S-1-5-21-484763869-2025429265-1177238915-1003
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000020_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\_000050_.tmp.dll
c:\windows\system32\drivers\H8SRTrxtwwroiyo.sys
c:\windows\system32\H8SRTfbctjdkkaw.dll
c:\windows\system32\H8SRTnpufveoayx.dll
c:\windows\system32\H8SRTqlcnjelnio.dat
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTveayjrgoou.dll
c:\windows\system32\H8SRTyxeyksxdfj.dll
c:\windows\system32\ps2.bat
c:\windows\unins000.dat
c:\windows\unins000.exe
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-28  )))))))))))))))))))))))))))))))
.

2010-01-28 02:39 . 2010-01-28 02:39   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-01-28 02:07 . 2010-01-28 02:08   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Netscape
2010-01-27 22:44 . 2010-01-27 22:44   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 22:44 . 2010-01-27 22:44   163728   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 22:44 . 2010-01-27 22:44   327000   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 22:44 . 2010-01-27 22:44   87496   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 21:04 . 2010-01-27 21:04   388096   ----a-r-   c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-27 21:04 . 2010-01-27 21:04   --------   d-----w-   c:\program files\TrendMicro
2010-01-27 03:20 . 2010-01-07 22:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 03:20 . 2010-01-27 03:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 03:20 . 2010-01-07 22:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-27 03:08 . 2010-01-28 02:56   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-27 02:59 . 2010-01-27 02:59   --------   d-----w-   c:\program files\CCleaner
2010-01-27 00:05 . 2010-01-27 00:05   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-27 00:05 . 2010-01-27 00:05   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-26 23:00 . 2009-12-02 13:19   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-01-26 22:42 . 2009-12-02 13:19   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2010-01-26 22:34 . 2010-01-26 22:34   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-26 22:34 . 2009-12-07 14:10   2953352   -c--a-w-   c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-26 22:32 . 2010-01-26 22:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-26 22:32 . 2010-01-26 22:32   --------   d-----w-   c:\program files\Lavasoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 20:03 . 2009-10-26 03:11   --------   d-----w-   c:\documents and settings\HP_Owner\Application Data\Skype
2010-01-28 03:02 . 2009-05-23 07:02   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-28 01:36 . 2009-06-09 03:25   1   ----a-w-   c:\documents and settings\HP_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-27 22:44 . 2010-01-26 22:41   862040   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 22:44 . 2010-01-26 22:41   206944   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 22:44 . 2010-01-26 22:41   390288   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 22:44 . 2010-01-26 22:41   537576   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 22:44 . 2010-01-26 22:41   389272   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-27 22:44 . 2010-01-26 22:41   8   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 22:44 . 2010-01-26 22:41   6296864   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 22:44 . 2010-01-26 22:41   933120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 22:44 . 2010-01-26 22:41   3803208   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-27 22:43 . 2010-01-26 22:41   816784   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 22:43 . 2010-01-26 22:41   823928   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-27 22:43 . 2010-01-26 22:41   1643272   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 22:43 . 2010-01-26 22:41   788880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-27 22:43 . 2010-01-26 22:41   1181328   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-21 12:43 . 2009-11-25 09:34   79488   ----a-w-   c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 05:42 . 2004-08-04 11:00   662016   ----a-w-   c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 11:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-12-09 17:06 . 2009-06-15 20:41   47592   ----a-w-   c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 05:03 . 2009-06-04 18:47   --------   d-----w-   c:\program files\DivX
2009-12-03 16:30 . 2009-12-03 16:30   --------   d-----w-   c:\program files\MSECache
2009-11-21 16:36 . 2004-08-04 11:00   470528   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-04 19:28 . 2009-11-04 19:28   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-08-29 49152]
"CTHelper"="CTHELPER.EXE" [2005-10-08 16384]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-09 148888]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 21:44   61440   ----a-w-   c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/26/2010 4:42 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2009 3:02 PM 101936]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2009 10:35 AM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-01-28 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 22:43]

2010-01-28 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 22:43]

2010-01-28 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 22:43]

2010-01-28 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 22:43]

2010-01-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 22:43]

2010-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-24 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 17:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\jw8kaen7.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
AddRemove-{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 14:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(744)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\msi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-28  14:11:17 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-28 20:11

Pre-Run: 12,018,081,792 bytes free
Post-Run: 12,089,298,944 bytes free

- - End Of File - - A84EE16C3462F01900ED4F4D243615AD


I did what you said, here's the Combo Fix log attached. There are still some bugs with Mozilla tho.
« Last Edit: January 30, 2010, 03:04:49 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexpolore.exe and malware defense trojan
« Reply #21 on: January 28, 2010, 11:02:13 PM »
A couple more logs please
reopen Malwarebytes antimalware
CHCCK FOR UPDATES
After updating, run a fresh Quick scan, remove anything it finds and post it's new log

In addition
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the Desktop.

Open the program - you should see the Rootkit / Malware tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Important: Close any open programs/windows!
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rkthak

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
iexpolore.exe and malware defense trojan
« Reply #22 on: January 30, 2010, 06:56:56 AM »
I'm going out of town for a couple days. I havent done this yet but i will when i get back.


[quote name=\'guestolo\' post=\'467692\' date=\'Jan 28 2010, 11:02 PM\']A couple more logs please
reopen Malwarebytes antimalware
CHCCK FOR UPDATES
After updating, run a fresh Quick scan, remove anything it finds and post it's new log

In addition
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the Desktop.

Open the program - you should see the Rootkit / Malware tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Important: Close any open programs/windows!
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.[/quote]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexpolore.exe and malware defense trojan
« Reply #23 on: February 14, 2010, 02:37:47 PM »
As the original poster has not returned
I'll lock this topic
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: 1 [2]
« previous next »