Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: needing help with uacd.sys trojan  (Read 4118 times)

0 Members and 1 Guest are viewing this topic.

milkdude971

  • Guest
needing help with uacd.sys trojan
« on: July 24, 2009, 04:36:41 PM »
Hi there , looks like i just got a nasty virus......... downloaded combofix and got a report.

ComboFix 09-07-23.04 - Robert 24/07/2009 18:01.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.2.1033.18.1279.630 [GMT -4:00]
Running from: c:\users\Robert\Desktop\Combo-Fix.exe
SP: MalwareRemovalBot *enabled* (Updated) {D4EAEECB-3C46-498D-9317-ADD33A6A381B}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2966507171-1947029991-789456440-1002
c:\progra~2\Microsoft\Network\Downloader\qmgr0.dat
c:\progra~2\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\temp\1cb
c:\users\Lisa\Lisa.exe
c:\windows\system32\d1
c:\windows\system32\drivers\UACtjdrjxqjso.sys
c:\windows\system32\FhgQAGgh.ini
c:\windows\system32\UACeuytyutuas.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACneegwpcfow.dll
c:\windows\system32\UACnxmiqeixic.dll
c:\windows\system32\UACoipotetais.dll
c:\windows\system32\UACqhvbecgpbe.dat
c:\windows\system32\UACrdfpdayajr.dll
c:\windows\system32\UACuycqowxpfh.db

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_iWinGamesInstaller


(((((((((((((((((((((((((   Files Created from 2009-06-24 to 2009-07-24  )))))))))))))))))))))))))))))))
.

2009-07-24 22:13 . 2009-07-24 22:16   --------   d-----w-   c:\users\Robert\AppData\Local\temp
2009-07-24 22:13 . 2009-07-24 22:13   --------   d-----w-   c:\users\Lisa\AppData\Local\temp
2009-07-23 20:13 . 2009-07-23 20:13   6247   ----a-w-   c:\windows\system32\uacinit.dll.vir
2009-07-23 02:01 . 2009-07-23 02:01   --------   d-----w-   c:\program files\Macrovision Corporation
2009-07-23 01:53 . 2009-07-23 07:55   --------   d-----w-   c:\progra~2\SITEguard
2009-07-23 01:52 . 2009-07-23 19:51   --------   d-----w-   c:\progra~2\STOPzilla!
2009-07-23 01:52 . 2009-07-23 01:52   --------   d-----w-   c:\program files\Common Files\iS3
2009-07-23 01:00 . 2009-07-23 01:29   --------   d-----w-   c:\users\Robert\AppData\Roaming\MalwareRemovalBot
2009-07-23 01:00 . 2009-07-23 01:36   --------   d-----w-   c:\program files\MalwareRemovalBot
2009-07-22 14:03 . 2009-07-22 14:03   262   ----a-w-   c:\users\Lisa\YWJTGJ.bat
2009-07-22 14:03 . 2009-07-22 14:03   196608   ----a-w-   c:\users\Lisa\hiupol.exe
2009-07-19 15:40 . 2009-07-19 15:59   --------   d-----w-   c:\users\Robert\AppData\Local\WMTools Downloaded Files
2009-07-19 15:39 . 2009-07-19 15:40   --------   d-----w-   c:\program files\Movie Maker 2.6
2009-07-14 17:33 . 2009-06-15 15:24   156672   ----a-w-   c:\windows\system32\t2embed.dll
2009-07-14 17:33 . 2009-06-15 15:20   72704   ----a-w-   c:\windows\system32\fontsub.dll
2009-07-14 17:33 . 2009-06-15 15:20   10240   ----a-w-   c:\windows\system32\dciman32.dll
2009-07-14 17:33 . 2009-06-15 12:52   289792   ----a-w-   c:\windows\system32\atmfd.dll
2009-07-12 17:02 . 2009-07-12 17:02   200704   ----a-w-   c:\users\Lisa\AppData\Roaming\Microsoft\Windows\.autobahn\libwin32sparsefileutil.dll
2009-07-12 17:02 . 2009-07-12 17:02   65536   ----a-w-   c:\users\Lisa\AppData\Roaming\Microsoft\Windows\.autobahn\libwin32proxyconfig.dll
2009-07-12 17:02 . 2009-07-12 17:02   --------   d-----w-   c:\users\Lisa\AppData\Local\Autobahn
2009-07-12 17:02 . 2009-07-12 17:02   --------   d-----w-   c:\users\Lisa\Swarmcast
2009-07-08 18:34 . 2007-12-26 21:30   679936   ----a-w-   c:\windows\system32\D3DX81ab.dll
2009-07-08 18:34 . 2007-12-26 21:30   1970176   ----a-w-   c:\windows\system32\d3dx9.dll
2009-07-08 18:34 . 2009-07-23 20:55   --------   d-----w-   c:\program files\Cheat Engine

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 22:00 . 2007-07-25 23:12   --------   d-----w-   c:\program files\Google
2009-07-23 20:12 . 2007-11-01 20:42   --------   d-----w-   c:\program files\Trojan Remover
2009-07-23 20:12 . 2007-11-01 20:35   --------   d-----w-   c:\users\Robert\AppData\Roaming\Simply Super Software
2009-07-23 19:11 . 2009-07-23 02:05   960   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2009-07-23 04:57 . 2009-07-23 04:57   304   ----a-w-   c:\windows\system32\drivers\kgpfr2.cfg
2009-07-23 02:17 . 2008-01-05 13:36   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-07-23 02:01 . 2008-07-02 21:34   --------   d-----w-   c:\users\Robert\AppData\Roaming\InstallShield
2009-07-23 00:38 . 2009-03-21 15:44   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-07-23 00:36 . 2008-07-02 21:28   --------   d-----w-   c:\progra~2\Bell
2009-07-23 00:36 . 2008-07-02 23:52   --------   d-----w-   c:\users\Lisa\AppData\Roaming\Bell
2009-07-23 00:36 . 2008-07-02 21:28   --------   d-----w-   c:\users\Robert\AppData\Roaming\Bell
2009-07-23 00:36 . 2008-07-02 21:28   --------   d-----w-   c:\program files\Bell
2009-07-22 18:15 . 2007-07-25 21:46   --------   d-----w-   c:\program files\BadgeHelp
2009-07-20 15:01 . 2009-05-19 00:37   --------   d-----w-   c:\users\Lisa\AppData\Roaming\FrostWire
2009-07-14 19:05 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-07-13 23:11 . 2008-04-23 20:41   --------   d-----w-   c:\users\Robert\AppData\Roaming\Image Zone Express
2009-06-26 00:35 . 2007-12-22 00:33   --------   d-----w-   c:\progra~2\PopCap Games
2009-06-26 00:35 . 2007-12-22 00:33   --------   d-----w-   c:\program files\PopCap Games
2009-06-18 11:20 . 2007-07-25 07:58   --------   d-----w-   c:\users\Lisa\AppData\Roaming\LimeWire
2009-06-17 23:57 . 2007-07-25 02:16   --------   d-----w-   c:\progra~2\Yahoo!
2009-06-17 23:50 . 2007-07-25 09:46   --------   d-----w-   c:\users\Robert\AppData\Roaming\yahoo!
2009-06-17 23:50 . 2007-07-25 01:02   --------   d-----w-   c:\program files\Yahoo!
2009-06-03 21:42 . 2009-05-14 23:42   --------   d-----w-   c:\users\Robert\AppData\Roaming\FrostWire
2009-05-27 22:15 . 2008-12-16 11:37   --------   d-----w-   c:\program files\iWin Games
2009-05-27 20:42 . 2008-01-05 13:36   --------   d-----w-   c:\progra~2\Spybot - Search & Destroy
2009-05-19 10:00 . 2009-05-19 10:00   0   ----a-w-   c:\users\Lisa\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-05-14 23:51 . 2009-05-14 23:51   0   ----a-w-   c:\users\Robert\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-05-09 05:50 . 2009-06-11 19:32   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 19:32   71680   ----a-w-   c:\windows\system32\iesetup.dll
2009-07-15 20:30 . 2008-09-23 14:35   137208   ----a-w-   c:\program files\mozilla firefox\components\brwsrcmp.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Lisa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Lisa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F93DF26-6D19-4F48-804C-3C5CBC2B2B65}"= UDP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{BDC03457-3E19-4BC0-9E2E-46097CBB3128}"= TCP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{DB1C8E0D-6ECC-4E34-A574-80B5B4287F69}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E65D93F9-26A7-4493-8000-BC27E0CA38C9}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{10CF1C0D-FEFA-4E13-A609-BBD99BE276DD}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8B5558FA-0263-4F93-8FCF-BCE9F4E5B300}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{988ABD83-E64D-4734-BED4-88DC83B9C616}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{B35C1E9D-E803-4422-9786-308CE7A23CE5}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{E8F1DBDD-D143-4372-AA29-6E84639F23C6}f:\\program files\\pogo games\\ricochet lost worlds to go\\ricochet.exe"= UDP:f:\program files\pogo games\ricochet lost worlds to go\ricochet.exe:Ricochet
"UDP Query User{9E84EF5D-68E3-4FA0-84C1-77E26C20B7C9}f:\\program files\\pogo games\\ricochet lost worlds to go\\ricochet.exe"= TCP:f:\program files\pogo games\ricochet lost worlds to go\ricochet.exe:Ricochet
"TCP Query User{4D2F9970-7FD9-4E2F-A1E8-C7A350B0B895}f:\\program files\\zone.com deluxe games\\hexic deluxe\\hexicdeluxe.exe"= UDP:f:\program files\zone.com deluxe games\hexic deluxe\hexicdeluxe.exe:Hexic Deluxe
"UDP Query User{CD11E0B7-F215-439E-8378-0CFCE8DFB7CA}f:\\program files\\zone.com deluxe games\\hexic deluxe\\hexicdeluxe.exe"= TCP:f:\program files\zone.com deluxe games\hexic deluxe\hexicdeluxe.exe:Hexic Deluxe
"TCP Query User{B270BCB0-202B-4D33-946E-983639919DC0}c:\\users\\dan\\desktop\\mirc\\mirc.exe"= UDP:c:\users\dan\desktop\mirc\mirc.exe:mirc.exe
"UDP Query User{AC8A6737-8458-43DB-BD05-38FA8465ADF6}c:\\users\\dan\\desktop\\mirc\\mirc.exe"= TCP:c:\users\dan\desktop\mirc\mirc.exe:mirc.exe
"TCP Query User{4355B497-F6A6-43FA-8F28-4D7EEB261ACF}c:\\users\\robert\\desktop\\utorrent.exe"= UDP:c:\users\robert\desktop\utorrent.exe:utorrent.exe
"UDP Query User{EEFB1F6F-082D-4E25-8DC3-B53BF8E650CD}c:\\users\\robert\\desktop\\utorrent.exe"= TCP:c:\users\robert\desktop\utorrent.exe:utorrent.exe
"TCP Query User{4CCBBBD4-A691-44AF-BD3D-1B43A40C1CE3}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{1AF16DFB-FFFF-4130-AE60-0932B5D2A3BE}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{2C704A67-A81E-4A95-BD6C-01A060F5F434}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E6001E11-7872-4746-98DA-621612DBD9A6}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{8186460D-5A8E-48A0-9859-2845ADC13761}f:\\program files\\gamehouse\\ricochet\\ricochet.exe"= UDP:f:\program files\gamehouse\ricochet\ricochet.exe:Ricochet
"UDP Query User{AB3AEEAE-16D1-4869-B088-3C5BC58D7188}f:\\program files\\gamehouse\\ricochet\\ricochet.exe"= TCP:f:\program files\gamehouse\ricochet\ricochet.exe:Ricochet
"{3D74FD8A-CF51-4C86-87F7-DFB8FA3E0C71}"= UDP:F:3\Vent\Ventrilo.exe:Ventrilo.exe
"{2BA35272-C693-4597-9128-12C9CF48FF59}"= TCP:F:3\Vent\Ventrilo.exe:Ventrilo.exe
"{EE2A1038-8758-4743-AB52-6C630F6F801F}"= UDP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{D5B8586E-64B5-4633-8A87-3D0993E0E285}"= TCP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{7295CA47-8052-42E4-A3EC-759707D5B313}"= UDP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{3085F41E-83B6-4B30-BF68-3ED78474B158}"= TCP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{6F207A0F-186A-42A1-B9B2-A7340B52E220}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{FF855656-C270-4DB7-A4A2-D1EFDC20F0EA}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{07C3C17E-EA08-4F78-A45E-BC31319C356F}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [05/01/2008 9:36 AM 1153368]
R3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);c:\windows\System32\drivers\lmvac.sys [01/03/2008 10:37 AM 17920]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [21/03/2009 11:43 AM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 6:08 PM 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxp://student.sl.on.ca/dwa8W.cab
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\04qtubxv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.pogo.com/home/home.do
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota",      5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default _setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",     true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",    true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",     true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",       true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",    true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",                 true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",                true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",               false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",               true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",                 true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",                   true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",                true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",             false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",            false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",    false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_pa ge", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_ enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 18:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6496)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-07-24 18:27 - machine was rebooted
ComboFix-quarantined-files.txt  2009-07-24 22:26

Pre-Run: 20,455,661,568 bytes free
Post-Run: 20,324,003,840 bytes free

324   --- E O F ---   2009-07-22 07:01
Logged
Pages: [1]   Go Up
« previous next »