Newbie
[Resolved] here is my first hi to everybody here
this is my first post on your website
actually this is my fist post in my life about this kind of issue.
it's a combofix log file. I just run the combofix on my PC today because NOD32 find out some rootkit trojan inside the working memory and I google for that log from NOD and find out that only combofix can help me about it. and it really helped! which is great.
but I want to be sure if I need to do anything else or my PC is fine now.
That's why I'm here with me combofix log file:
Code:ComboFix 09-06-20.02 - Bilosta 06/21/2009 16:00.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1742 [GMT 3:00] Running from: c:\documents and settings\Bilosta\Desktop\ComboFix.exe AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\SKYNETxnbmolwb.sys c:\windows\system32\SKYNETbqpqqmkj.dat c:\windows\system32\SKYNETlclfkawe.dll c:\windows\system32\SKYNETvmpqagtt.dat c:\windows\system32\SKYNETyueempdv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SKYNETornmbciq ((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 ))))))))))))))))))))))))))))))) . 2009-06-21 11:53 . 2009-06-21 11:53 -------- d-----w- c:\documents and settings\Kurucity\Application Data\ESET 2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\program files\ESET 2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-06-21 11:50 . 2009-06-21 11:50 -------- d-----w- c:\program files\InstallShield Installation Information 2009-06-21 11:34 . 2009-06-21 11:34 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\GHISLER 2009-06-21 11:28 . 2009-06-21 11:28 0 ----a-w- c:\windows\nsreg.dat 2009-06-21 11:28 . 2009-06-21 11:28 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\Mozilla 2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\IECompatCache 2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\PrivacIE 2009-06-21 11:23 . 2009-06-21 11:27 -------- d-----w- C:\totalcmd 2009-06-21 11:23 . 2009-06-21 11:23 -------- d-----w- c:\documents and settings\Kurucity\Application Data\GHISLER 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\UC.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\RAR.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKZIP.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKUNZIP.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\NOCLOSE.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\LHA.PIF 2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\ARJ.PIF 2009-06-21 11:22 . 2008-04-13 21:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2009-06-21 11:22 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-21 07:03 . 2009-06-21 07:03 -------- d-----w- c:\program files\microsoft frontpage 2009-06-21 07:00 . 2009-06-21 07:00 84760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\MSBuild 2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\Reference Assemblies 2009-06-21 06:57 . 2009-06-21 06:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-06-21 06:55 . 2009-06-21 06:55 -------- d-----w- c:\program files\Windows Media Connect 2 2009-06-21 06:51 . 2009-06-21 06:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-06-21 06:50 . 2009-06-21 06:50 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Microsoft 2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Windows Live 2009-06-21 06:48 . 2009-06-21 06:48 -------- d-----w- c:\program files\MSXML 4.0 2009-06-21 06:47 . 2009-06-21 06:47 -------- d-----w- c:\program files\Microsoft Silverlight 2009-05-14 12:49 . 2009-05-14 12:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys 2009-05-14 12:49 . 2009-05-14 12:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys 2009-05-14 12:49 . 2009-05-14 12:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys 2009-05-14 12:47 . 2009-05-14 12:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-05-14 12:41 . 2009-05-14 12:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2007-02-26 437160] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256] R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840] . Contents of the 'Scheduled Tasks' folder 2009-06-21 c:\windows\Tasks\User_Feed_Synchronization-{B5FB382B-BCBD-4300-8133-B432938347A2}.job - c:\windows\system32\msfeedssync.exe [2008-04-14 03:31] . . ------- Supplementary Scan ------- . mStart Page = hxxp://linklol.com/homepage/ FF - ProfilePath - ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-21 16:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-06-21 16:03 ComboFix-quarantined-files.txt 2009-06-21 13:03 Pre-Run: 70,562,025,472 bytes free Post-Run: 70,638,682,112 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 162
Thanks in advance for any answer!
Best,
Jozsef
Senior Member
Please, don't use code wrap. The log is harder to read.
ComboFix 09-06-20.02 - Bilosta 06/21/2009 16:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1742 [GMT 3:00]
Running from: c:\documents and settings\Bilosta\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETxnbmolwb.sys
c:\windows\system32\SKYNETbqpqqmkj.dat
c:\windows\system32\SKYNETlclfkawe.dll
c:\windows\system32\SKYNETvmpqagtt.dat
c:\windows\system32\SKYNETyueempdv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETornmbciq
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.
2009-06-21 11:53 . 2009-06-21 11:53 -------- d-----w- c:\documents and settings\Kurucity\Application Data\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\program files\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-21 11:50 . 2009-06-21 11:50 -------- d-----w- c:\program files\InstallShield Installation Information
2009-06-21 11:34 . 2009-06-21 11:34 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\GHISLER
2009-06-21 11:28 . 2009-06-21 11:28 0 ----a-w- c:\windows\nsreg.dat
2009-06-21 11:28 . 2009-06-21 11:28 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\Mozilla
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\IECompatCache
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\PrivacIE
2009-06-21 11:23 . 2009-06-21 11:27 -------- d-----w- C:\totalcmd
2009-06-21 11:23 . 2009-06-21 11:23 -------- d-----w- c:\documents and settings\Kurucity\Application Data\GHISLER
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\UC.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\RAR.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\LHA.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\ARJ.PIF
2009-06-21 11:22 . 2008-04-13 21:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-06-21 11:22 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-21 07:03 . 2009-06-21 07:03 -------- d-----w- c:\program files\microsoft frontpage
2009-06-21 07:00 . 2009-06-21 07:00 84760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\MSBuild
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 06:57 . 2009-06-21 06:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-21 06:55 . 2009-06-21 06:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-21 06:51 . 2009-06-21 06:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-21 06:50 . 2009-06-21 06:50 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Microsoft
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Windows Live
2009-06-21 06:48 . 2009-06-21 06:48 -------- d-----w- c:\program files\MSXML 4.0
2009-06-21 06:47 . 2009-06-21 06:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-14 12:49 . 2009-05-14 12:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 12:49 . 2009-05-14 12:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 12:49 . 2009-05-14 12:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 12:47 . 2009-05-14 12:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 12:41 . 2009-05-14 12:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2007-02-26 437160]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
.
Contents of the 'Scheduled Tasks' folder
2009-06-21 c:\windows\Tasks\User_Feed_Synchronization-{B5FB382B-BCBD-4300-8133-B432938347A2}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 03:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://linklol.com/homepage/
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-21 16:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2009-06-21 16:03
ComboFix-quarantined-files.txt 2009-06-21 13:03
Pre-Run: 70,562,025,472 bytes free
Post-Run: 70,638,682,112 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
162
Senior Member
Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.
================================================== ===========
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 4. Download HijackThis:
TrendSecure | Download TrendMicro HijackThis
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Newbie
OK thanks for reply, I will not wrap the code anymore.
"DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!"
I already did this. Installed some apps and scanned the PC with NOD32 again. Eveything seems fine.
Is it too late for following your instructions or I still can(need) do that?
Senior Member
I meant from now on, until your computer is declared clean.
Please, run the scans (after uninstalling Combofix).
Newbie
ok will post the log and other things as soon as I have them.
Senior Member
Take your time
Newbie
is there any other way for booting in safe mode than F8? I have dual boot (XP and Arch Linux) and the bootloader (GRUB) is installed on the MBR of the HDD with XP, so I think I can't go to safe mode with F8 key.
Any suggestion/idea?
Senior Member
Run it in Normal Mode, please.
Newbie
no i did it with F8
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 06/22/2009 at 01:09 AM
Application Version : 4.26.1004
Core Rules Database Version : 3949
Trace Rules Database Version: 1891
Scan type : Complete Scan
Total Scan Time : 01:36:03
Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 4363
Registry threats detected : 0
File items scanned : 83118
File threats detected : 0
