CrispyDragon Posted February 25, 2010 ID:205843 Share Posted February 25, 2010 Hey, my browser keeps getting redirected, especially when doing searches such as in Google and Norton is blocking attempted attacks 2-3 times an hour, so surely something isn't right and I would appreciate any help in getting this sorted out please.Here is the most recent Malwarebytes Scan: Malwarebytes' Anti-Malware 1.44Database version: 3792Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870225/02/2010 18:09:07mbam-log-2010-02-25 (18-09-07).txtScan type: Quick ScanObjects scanned: 130461Time elapsed: 10 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is the log that deofogger_disable created:defogger_disable by jpshortstuff (29.01.10.1)Log created at 12:03 on 21/02/2010 (Chris)Checking for autostart values...HKCU\~\Run values retrieved.HKLM\~\Run values retrieved.Checking for services/drivers...-=E.O.F=-Here is the DDS log file:DDS (Ver_09-12-01.01) - NTFSx86 Run by Chris at 17:44:04.48 on 25/02/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.536 [GMT 0:00]AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exec:\APPS\Powercinema\Kernel\TV\CLCapSvc.exeC:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exeC:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exec:\APPS\HIDSERVICE\HIDSERVICE.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Olivetti\ANY_WAY\olMntrService.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\slserv.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exec:\APPS\Powercinema\Kernel\TV\CLSched.exeC:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exeC:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\NETGEAR\WG111T\wlan111t.exeC:\WINDOWS\system32\wuauclt.exeD:\Documents and Settings\Chris\Desktop\dds.scr============== Pseudo HJT Report ===============uWindow Title = Packard BelluSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCHuInternet Connection Wizard,ShellNext = hxxp://www.goggle.com/uInternet Settings,ProxyOverride = *.localBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLLBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dllTB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dllTB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No FileEB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dlluRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [High Definition Audio Property Page Shortcut] HDAShCut.exemRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exemRun: [ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exemRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEStartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXEStartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exeIE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllDPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab50997.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/3/d/83d1fe15-fe0f-4bdf-b09c-4e3c49808ec7/LegitCheckControl.cabDPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabDPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cabDPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cabDPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163197986000DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cabDPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cabDPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab57213.cabDPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cabDPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabHandler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllmASetup: {4C16F395-7099-4C30-ADC9-28E398CC1782} - rundll32 gahjc0.dll,laspi================= FIREFOX ===================FF - ProfilePath - d:\docume~1\chris\applic~1\mozilla\firefox\profiles\mjt2todg.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=FF - prefs.js: browser.search.selectedEngine - Yahoo SearchFF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&p=FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dllFF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dllFF - component: d:\documents and settings\chris\application data\mozilla\firefox\profiles\mjt2todg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - component: d:\documents and settings\chris\application data\mozilla\firefox\profiles\mjt2todg.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dllFF - plugin: c:\program files\microsoft\office live\npOLW.dllFF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]R1 IDSxpx86;IDSxpx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-20 329592]R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-13 54752]R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]R2 olMntrService;olMntrService;c:\program files\olivetti\any_way\olMntrService.exe [2006-1-3 69632]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-23 102448]R3 NAVENG;NAVENG;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100224.035\NAVENG.SYS [2010-2-25 84912]R3 NAVEX15;NAVEX15;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100224.035\NAVEX15.SYS [2010-2-25 1324720]S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-6-26 17149]S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]=============== Created Last 30 ================2010-02-25 01:26:09 1374 ----a-w- c:\windows\imsins.BAK2010-02-24 20:45:15 293376 ------w- c:\windows\system32\browserchoice.exe2010-02-21 12:03:33 0 ----a-w- d:\documents and settings\chris\defogger_reenable2010-02-20 23:32:45 664 ----a-w- c:\windows\system32\d3d9caps.dat==================== Find3M ====================2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys2009-02-22 12:07:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022220090223\index.dat============= FINISH: 17:45:45.45 ===============And I have attached the ark.txt and attach.txt log files too.attach.zip Link to post Share on other sites More sharing options...
Kenny94 Posted February 25, 2010 ID:205865 Share Posted February 25, 2010 Hi CrispyDragon And Welcome to Malwarebytes!You might have a infected atapi.sys.Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Place combofix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:The Recovery Console was successfully installed.Click on Yes, to continue scanning for malware.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.--------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
CrispyDragon Posted February 25, 2010 Author ID:205896 Share Posted February 25, 2010 Hi, thanks for the swift response. Managed to run ComboFix and here is the log produced. ComboFix 10-02-25.02 - Chris 25/02/2010 19:54:10.1.2 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.670 [GMT 0:00]Running from: d:\documents and settings\Chris\Desktop\ComboFix.exeAV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\recycler\S-1-5-21-3357874388-1396779764-3806119133-1003c:\windows\srchasst\nls302en.lexc:\windows\system32\Thumbs.dbc:\windows\system32\twain_32.dllInfected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it .((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 ))))))))))))))))))))))))))))))).2010-02-24 20:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe2010-02-20 23:32 . 2010-02-20 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat2010-02-18 23:06 . 2010-02-18 23:07 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Adobe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-02-24 14:19 . 2006-01-13 16:41 -------- d--h--w- c:\program files\InstallShield Installation Information2010-02-23 17:54 . 2008-05-08 23:09 -------- d-----w- c:\program files\Mozilla Thunderbird2010-02-23 17:50 . 2006-11-17 23:19 -------- d-----w- c:\program files\THQ2010-01-20 20:02 . 2009-05-09 19:54 -------- d-----w- c:\program files\Microsoft Silverlight2010-01-13 22:33 . 2009-10-07 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-07 16:07 . 2009-10-07 02:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 16:07 . 2009-10-07 02:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-31 16:50 . 2004-08-10 16:38 353792 ----a-w- c:\windows\system32\drivers\srv.sys2009-12-28 19:17 . 2009-12-28 19:17 -------- d-----w- d:\documents and settings\Chris\Application Data\DivX2009-12-28 19:15 . 2007-08-27 22:23 -------- d-----w- c:\program files\DivX2009-12-28 19:14 . 2009-12-28 19:14 -------- d-----w- c:\program files\Common Files\DivX Shared2009-12-21 19:14 . 2004-08-10 16:38 916480 ----a-w- c:\windows\system32\wininet.dll2009-12-16 18:43 . 2004-08-10 16:54 343040 ----a-w- c:\windows\system32\mspaint.exe2009-12-14 07:08 . 2004-08-10 16:37 33280 ----a-w- c:\windows\system32\csrsrv.dll2009-12-08 19:26 . 2004-08-10 16:38 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe2009-12-04 18:22 . 2004-08-10 16:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2009-03-31 21:47 . 2008-04-02 09:09 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]"nwiz"="nwiz.exe" [2008-09-17 1657376]"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-01-13 180269]"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2007-6-26 884840][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]@="FSFilter Activity Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%ProgramFiles%\\AOL 9.0\\aol.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [03/02/2010 06:13 310320]R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [03/02/2010 06:13 259632]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [03/02/2010 06:13 482432]R1 IDSxpx86;IDSxpx86;d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [20/02/2010 07:19 329592]R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/05/2009 06:45 54752]R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [03/02/2010 06:13 117640]R2 olMntrService;olMntrService;c:\program files\Olivetti\ANY_WAY\olMntrService.exe [03/01/2006 11:36 69632]R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [26/06/2007 14:22 17149]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/06/2009 15:13 102448]S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864].Contents of the 'Scheduled Tasks' folder2009-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{54AF50C7-F74E-4169-BAD6-B062E8117D52}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]..------- Supplementary Scan -------.uInternet Connection Wizard,ShellNext = hxxp://www.goggle.com/uInternet Settings,ProxyOverride = *.localIE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000FF - ProfilePath - d:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\mjt2todg.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=FF - prefs.js: browser.search.selectedEngine - Yahoo SearchFF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&p=FF - component: d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dllFF - component: d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dllFF - component: d:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\mjt2todg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - component: d:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\mjt2todg.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dllFF - plugin: c:\program files\Microsoft\Office Live\npOLW.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);.- - - - ORPHANS REMOVED - - - -Notify-WgaLogon - (no file)ActiveSetup-{4C16F395-7099-4C30-ADC9-28E398CC1782} - gahjc0.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-02-25 20:03Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(2708)c:\windows\system32\WININET.dllc:\windows\system32\nview.dllc:\windows\system32\NVWRSENG.DLLc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\apps\Powercinema\Kernel\TV\CLCapSvc.exec:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exec:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exec:\apps\HIDSERVICE\HIDSERVICE.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exec:\windows\system32\nvsvc32.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exec:\apps\Powercinema\Kernel\TV\CLSched.exec:\windows\system32\wscntfy.exec:\windows\system32\rundll32.exec:\windows\RTHDCPL.EXEc:\windows\system32\RUNDLL32.EXEc:\program files\QuickTime\QTTask.exec:\program files\iTunes\iTunesHelper.exec:\program files\Plustek\OpticFilm 7200i\QuickScan.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2010-02-25 20:11:16 - machine was rebootedComboFix-quarantined-files.txt 2010-02-25 20:11Pre-Run: 14,130,188,288 bytes freePost-Run: 14,076,936,192 bytes free- - End Of File - - 4084EB94BF3FD710903EF2991F18E119 Link to post Share on other sites More sharing options...
Kenny94 Posted February 25, 2010 ID:205916 Share Posted February 25, 2010 OK, we still have work to do. I'll be back tomorrow. With more instructions CrispyDragon.... Link to post Share on other sites More sharing options...
CrispyDragon Posted February 25, 2010 Author ID:205930 Share Posted February 25, 2010 Sure thing, thanks for the continued help. Link to post Share on other sites More sharing options...
Kenny94 Posted February 26, 2010 ID:206040 Share Posted February 26, 2010 Hi CrispyDragon.Launch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.NextPlease download GooredFix from one of the locations below and save it to your DesktopDownload Mirror #1Download Mirror #2Ensure all Firefox windows are closed.To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).When prompted to run the scan, click Yes.GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).In your next reply, please include these log(s):MBAM ReportGooredFix.txtAlso, please let me know how things are running now? Link to post Share on other sites More sharing options...
CrispyDragon Posted February 26, 2010 Author ID:206064 Share Posted February 26, 2010 As of right now, things seem to be running smoothly. Internet seems more efficient and my PC more responsive. No browser redirects or attempted attacks since running ComboFix. Here is the Malwarebytes log:Malwarebytes' Anti-Malware 1.44Database version: 3794Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870226/02/2010 01:24:58mbam-log-2010-02-26 (01-24-58).txtScan type: Quick ScanObjects scanned: 130265Time elapsed: 5 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)And here is the GooredFix LogGooredFix by jpshortstuff (08.01.10.1)Log created at 02:55 on 26/02/2010 (Chris)Firefox version 3.6 (en-GB)========== GooredScan ==================== GooredLog ==========C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [05:03 21/03/2007]{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:16 01/10/2006]{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [05:48 07/10/2009]D:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mjt2todg.default\extensions\en-GB@dictionaries.addons.mozilla.org [22:37 15/08/2007]netvideohunter@netvideohunter.com [20:33 04/11/2009]personas@christopher.beard [04:08 17/01/2010]tineye@ideeinc.com [22:03 11/11/2009]{0545b830-f0aa-4d7e-8820-50a4629a56fe} [16:46 01/02/2010]{1018e4d6-728f-4b20-ad56-37578a4de76b} [12:52 15/01/2010]{20a82645-c095-46ed-80e3-08825760534b} [07:25 08/08/2009]{3112ca9c-de6d-4884-a869-9855de68056c} [07:21 27/11/2009]{916ab64c-bc3e-471b-8e60-29551922a7ba} [01:05 04/02/2010]{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [15:55 29/01/2010]{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} [07:57 23/01/2010][HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [09:35 06/08/2009]"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [05:48 07/10/2009]"{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}"="D:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\" [20:02 25/02/2010]---------- Old Logs ----------GooredFix[02.55.01_26-02-2010].txt-=E.O.F=- Link to post Share on other sites More sharing options...
Kenny94 Posted February 26, 2010 ID:206236 Share Posted February 26, 2010 Were almost done here...... We'll run this online scan to help look for remnants. And check your Security so this will not happen again..ESET Online ScannerNote: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.Please go here then click on: Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install.Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.Now click on Advanced Settings and select the following:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Now click on: [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.[*]When completed the Online Scan will begin automatically. [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall. [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first![*]Now click on: [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.[*]Copy and paste that log as a reply to this topic.Note: Do not forget to re-enable your Anti-Virus application after running the above scan!NextDownload Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.In your next reply, please include these log(s):EsetOnlineScanner\log.txtcheckup.txt Link to post Share on other sites More sharing options...
CrispyDragon Posted February 27, 2010 Author ID:206993 Share Posted February 27, 2010 Hi there, I just wanted to let you know that I have been very busy recently and haven't had a chance to do the necessary scans just yet. I will have them done by tomorrow and really do appreciate all the help you are giving. Link to post Share on other sites More sharing options...
Kenny94 Posted February 27, 2010 ID:207055 Share Posted February 27, 2010 Link to post Share on other sites More sharing options...
CrispyDragon Posted February 28, 2010 Author ID:207588 Share Posted February 28, 2010 Hi, just ran the two checks.ESET Scanner LogESETSmartInstaller@High as downloader log:all okESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=24e492bfae399f4794a6ab6ed7542323# end=finished# remove_checked=false# archives_checked=true# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2010-02-28 11:02:25# local_time=2010-02-28 11:02:25 (+0000, GMT Standard Time)# country="United Kingdom"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=3589 16777189 100 100 45574 16463041 0 0# compatibility_mode=8192 67108863 100 0 171878 171878 0 0# scanned=116532# found=0# cleaned=0# scan_time=5548Security Check Log:Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 OneCare Advisor (Windows Live Toolbar) Norton 360 `````````````````````````````` Anti-malware/Other Utilities Check: CCleaner Java 6 Update 16 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 7.0 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` Link to post Share on other sites More sharing options...
Kenny94 Posted March 1, 2010 ID:207839 Share Posted March 1, 2010 There are some older versions of Java on your computer. These can be a source of infection. [Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 18 -Click the Download button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.And be sure to run Secunia software inspector & update checker Some final items:Follow these steps to uninstall Combofix and tools used in the removal of malwarePlease press the Windows Key and R on your keyboard. This will bring up the Run... command.Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)Please follow the prompts to uninstall Combofix.You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.This will uninstall Combofix and anything assoicated with it.Here are some additional links for you to check out to help you with your computer security. BrowsersJust because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK buttonIf it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.Additional Security MeasuresVisit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.Secunia software inspector & update checker Malware And Spyware TipsAlso, see here for system improvement: Help! My computer is slow!It was a pleasure working with you CrispyDragon.Kenny (Kenny94) Link to post Share on other sites More sharing options...
Kenny94 Posted March 1, 2010 ID:207840 Share Posted March 1, 2010 If you have any questions let me know in the next few days.... Link to post Share on other sites More sharing options...
CrispyDragon Posted March 2, 2010 Author ID:208686 Share Posted March 2, 2010 Thank you for all your assistance and tips. I greatly appreciate all of it. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 3, 2010 ID:209137 Share Posted March 3, 2010 Glad we could help. B)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts