We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Internet banking - odd window pops up
Comments
-
You may have found a new trojan - project mimicker. No scanner picked it up yesterday, and google produced no results on the filename, but today one has.
There's still a possibility it's a false positive, time will tell. The Dll purports to come from Microsoft.
Surprisingly AVG (not a fan) is the only one who detects it currently, maybe they picked it up from your virustotal upload yesterday as the uploads are distributed to AV companies - If it is really malware, others will follow, so it will be interesting to see how quickly or slowly the virustotal results change.
http://virusscan.jotti.org/en/scanresult/189bf6b29b8be00917cbda3602cb14a821cbf550
http://www.virustotal.com/analisis/408d07b0b0ec8b5bda1412b206a78f4793b9370f6b30a33a2e32c88119c19eac-1273191517
Is the popup not coming up because you disabled the avast web scanner, or did you diable the dll using autoruns?!!
> . !!!! ----> .0 -
I'm not sure that makes me feel any better but at least I'm a happy bunny now! I actually saved that result file, AVG didn't pick it up then. At least others might benefit now.
Although I disabled it should I go back and delete it? I'm off bedwards but will do it in the morning if need be.
Thank you very much for all your help.
P.S. Disabled using autoruns, didn't touch Avast.0 -
If it is really a trojan, you might not be out of the woods yet.
Could you search your pc for a any files called mhookforms.*
What did you do? disable in autoruns, did you disable the webshield scanner in avast, because that will stop the detection message?
If you disabled in autoruns, the file is still there, but not being used, there may be other components floating about too, as I couldn't find the url redirect in the strings of the dll (but they may be encoded). Another option is to download and create a bootable AVG rescue CD, boot from it, update, and do a scan http://www.avg.com/ie-en/226386
Maybe disable the avast virus shields (temporarily to avoid conflicts and speed up the scan), install and update AVG, then run a full scan overnight, if it finds anything, note the results and files, let it deal with it then uninstall avg, and re-enable avast shields.
Avoid any banking etc on that pc for a while, and keep a close eye on your accounts.
There is a possibility some of this info may have been exposed
SMTP Email Address
POP3 Password2
IMAP Password2
amongst others stored in pstores, you can find out what password are stored on your pc, by using this
http://www.nirsoft.net/utils/pspv.zip!!
> . !!!! ----> .0 -
Kaspersky is now detecting it
http://www.securelist.com/en/descriptions/7695982/Trojan.Win32.Agent.dydu!!
> . !!!! ----> .0 -
I looked for the mhookform thing this morning but couldn't find anything.
I'm now doing the AVG rescue disc scan whch so far has 3 virus detections in Documents & settings.
I have (lucky me!)
msiedle.dll/contents.rdf virus dentified JS/Agent.A
msiedle.dll:/mhookforms.xul virus identified JS/Agent.B
JS/Agent.A.dropper
No doubt I will return soon once I see what happens next. This stuff is all new to me, thank goodness for forums and Google!0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
-
Finished th AVG rescue disc scan.
It also found it in Mozilla Firefox/chrome/error.jar and Windows/system32 (no surprise with that one!) When it came to the options of what to do with them I did the recommended and renamed them.
There will be a short pause while I start dinner then I'll do the COMBOFIX thing.0 -
ComboFix 10-05-06.05 - al 07/05/2010 18:24:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT 1:00]
Running from: c:\documents and settings\al\Downloads folder\QWERTY.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\al\l_INFECTED.arl
c:\documents and settings\al\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))
.
2010-05-07 13:28 . 2010-05-07 13:28
d
w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-05-07 13:28 . 2010-05-07 13:28
d
w- c:\documents and settings\al\Application Data\Canneverbe Limited
2010-05-07 13:28 . 2009-11-12 13:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-05-07 13:28 . 2010-05-07 13:28
d
w- c:\program files\CDBurnerXP
2010-05-07 13:02 . 2010-02-24 09:16 181632
w- c:\windows\system32\MpSigStub.exe
2010-05-07 12:59 . 2010-05-07 12:59
d
w- c:\program files\Windows Defender
2010-05-06 20:04 . 2010-05-06 20:04 0 ----a-w- c:\windows\nsreg.dat
2010-05-06 20:04 . 2010-05-06 20:04
d
w- c:\documents and settings\al\Local Settings\Application Data\Mozilla
2010-05-06 19:39 . 2010-05-06 19:39
d-sh--w- c:\documents and settings\al\IECompatCache
2010-05-06 19:35 . 2010-05-06 19:35
d-sh--w- c:\documents and settings\al\PrivacIE
2010-05-06 19:34 . 2010-05-06 19:34
d-sh--w- c:\documents and settings\al\IETldCache
2010-05-06 19:31 . 2010-05-06 19:32
d
w- c:\windows\ie8updates
2010-05-06 19:29 . 2010-05-06 19:31
dc-h--w- c:\windows\ie8
2010-05-06 19:24 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-06 19:24 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-06 19:22 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-05-06 19:09 . 2010-05-07 17:15
d
w- c:\documents and settings\al\Downloads folder
2010-05-06 17:05 . 2010-05-06 17:05
d
w- c:\program files\Eusing Free Registry Cleaner
2010-05-05 23:27 . 2010-05-05 23:27
d
w- c:\program files\CCleaner
2010-05-05 16:57 . 2010-05-05 16:57
d
w- c:\program files\Trend Micro
2010-05-04 22:14 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-04 22:14 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 22:14 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-04 22:14 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-04 22:14 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-04 22:14 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-04 22:14 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 22:13 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-04 22:13 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-04 22:13 . 2010-05-04 22:13
d
w- c:\program files\Alwil Software
2010-05-04 22:13 . 2010-05-04 22:13
d
w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-04 16:50 . 2010-05-04 16:50
d
w- c:\documents and settings\al\Application Data\Malwarebytes
2010-05-04 16:50 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 16:50 . 2010-05-04 16:50
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 16:50 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 16:50 . 2010-05-04 16:50
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 14:07 . 2010-04-16 14:07
d
w- c:\windows\system32\LogFiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 21:06 . 2008-12-25 21:11
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-05 22:43 . 2008-07-06 11:18 147606 ----a-w- c:\windows\hpoins21.dat
2010-05-04 22:24 . 2009-10-26 22:35
d
w- c:\documents and settings\All Users\Application Data\avg9
2010-05-03 12:55 . 2008-10-14 20:13 18657731 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-05-01 05:55 . 2010-05-01 07:56 3424768 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2010-03-31 17:32 . 2010-03-31 19:59 3428352 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-03-20 18:20 . 2010-03-20 18:21 561152 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-03-20 15:55 . 2010-03-20 16:57 3781120 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-03-15 17:12 . 2010-03-15 17:12
d
w- c:\program files\Common Files\logishrd
2010-03-06 15:41 . 2010-03-06 17:40 2933248 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-03-02 16:43 . 2010-03-02 16:44 3348480 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-25 06:24 . 2004-08-03 23:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-13 13:41 . 2010-02-13 14:56 2365440 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-13 13:41 . 2010-02-13 14:56 5571584 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-04-03 151552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-14 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)0 -
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Client Viewer\\NetViewer.exe"=
"c:\\Program Files\\NETGEAR\\WG111v2\\WG111v2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/05/2010 23:14 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/05/2010 23:14 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [03/05/2005 11:25 710144]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/12/2009 00:35 135664]
S2 OODefrag;O&O Defrag;c:\windows\system32\oodag.exe [08/02/2002 12:15 263168]
S3 USBNIC;USBNIC Network Adapter;c:\windows\system32\DRIVERS\USBNIC.sys --> c:\windows\system32\DRIVERS\USBNIC.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - NMSACCESS
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-14 23:35]
2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-14 23:35]
2010-05-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
FF - ProfilePath - c:\documents and settings\al\Application Data\Mozilla\Firefox\Profiles\i9k3aitd.default\
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-07 18:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-1659004503-842925246-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="41C66AB306ED9FF6EB145D6E1EA10671E50972099CA04FF8E8E8030E980A109222EF0B707EC016E171146F3DFB3617A7FA508E5EB9402DC48385A7EDE17E245BA6E71018F6D11175547F350C7FE3C6429F34F1017DBA8BDBE16C33C6B8E0A7A9ABBCED6AD09DC3C004A56164ADB71369F7E4ACE234CD52A0FCCD3213CDBF10B5203FCE89C2A0CEF70699DAB3633EEB6ABFD681D9FCB9E0976322E4B0A6ACCADF85060F7D565ECC71F1B2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA9C6AECB7A5D1407C038D530D6EB3452C47F5E315A6531D1C4FDA850ADFED1BDE1AE0AAC84E2DD89C75BCAFC98524B495CE303D5978C10D9BC60B36373C4E8217AD1AB319915E25B3466C67B6B0C3D7976CE6F1B88491F917498FCFAEEA2105A0C29D81BE6E1D0BB943B76AABC11F46E0B741F2D51D0D6A6820607327146D656E75CB7180893EDF919E9486718610C7747F064B8087FC70BAEEA27A5BD85E149157943D58F1693AAA46979927BA430AA8C43E16EB7D21575F67186798B5668AACD70C909807A2FA54E919E115824A5E0EC4C1285DF6EF5E00D2324D388D6B8B58195EE6AD476C087E2219FCA944C40B7B353C1367319B68957F050DFD345B1E8D1A0A83379625FB0E0B7B8AC8BB1EB8F5C0210BFD9BDB473EDAB32CA0186C70716AFC1A3CF3CB2C47BDCF9278908A68E16E7F3E1EDEAE4E29F8CC24998A183195741D9012CA2F82C1CF8C52F51AA811E4776B463FD54CDE36DAE4F9116C200E8563A6212595C82125CD854BC9896256987056F8DCDCF0A440C12FADCEA3AEE0583E324A111D036E70CAE32CD0B6E49E224CC952F935ACA15E518BA6B79FA95C10769B701878F0C61AE10BDE144F6BDC09C6C6A197B1051AC980A58FE9A1EC9353ADB0D0261469276FC76ACFDD81CE4F9A5670920243676A67593F15E9ADEF7BBAB30E67D35CC6963613E85ABCB69B4CD28A2DB1F9FB1A4DE81437954381D23741F3EDACF121946A87CAA24F51991B6BB416925F2768FDB7A778B33AF29DD5D41894156D6F9CA738A9F5EB8EEAFEA8A8940E9F8FD23FBAEDCC2C53B429447CE4A96DB9577DE21CC90D5E4C62AEF7061402BB6C02514CCC331082C7DE31627347AA3912C182C80C507D6AAA6C0303D022E384738D22C77D7E599DEBCEE3FEA5E01C44A81253EF361FD9482824FB916C6625773F074C396392C835F8EC192A830D13FD2CF8F6627B94AB19FDB76CB5F9C3425FA507B26E94C7C0297DB3F081724A20F5B25C869EAFB03069D85DB982288BA79810EDD10D3868D87D1644D8D13446E61F7E64900B4E9851DF728A6C58E1ED45A0C379436DA7560B8BEB757011C32751922488DD71C58F136123E036CF4092285842D1E3FAA"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\RtlGina2.dll
.
Completion time: 2010-05-07 18:32:34
ComboFix-quarantined-files.txt 2010-05-07 17:32
Pre-Run: 195,288,117,248 bytes free
Post-Run: 195,350,818,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - D9652316FC4691AAD23D3A012FADBCC80
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.5K Banking & Borrowing
- 252.9K Reduce Debt & Boost Income
- 453.3K Spending & Discounts
- 243.5K Work, Benefits & Business
- 598.2K Mortgages, Homes & Bills
- 176.7K Life & Family
- 256.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards