Jump to content

Browser redirects, random popups, Avast can't update


Recommended Posts

Late last night, I got a random message on my screen that Windows blocked. Avast popped up with messages that a threat had been blocked (this was while I was on the ESPN Fantasy Baseball page by the way). So I thought everything was okay, until I started getting popups and redirects randomly. Both Firefox and IE still work, but Google Chrome isn't working right now. Avast can't update either; it says that it can't connect to their server. I was able to update Avast manually however. I ran a Quick Scan of Malware Bytes last night, and it quarantined files that contain "Spyware.Dybalom" "Trojan.Hiloti" "Trojan.Fraudpack" and "Rogue.AntivirusSuite", but I still had the same problems after I quarantined those, and nothing came up on a full system scan. Please let me know what I need to give you in order for you to help me. Thank you in advance!!!

Link to post
Share on other sites

Hello josephkata! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post all logs if you can.

Link to post
Share on other sites

Thank you so much! I also should mention that I haven't been able to do a Windows update as well, so I think it's responsible for that too. Here are the logs you requested:

This is the clean MBAM log that I just ran:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4258

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/29/2010 4:18:48 PM

mbam-log-2010-06-29 (16-18-48).txt

Scan type: Quick scan

Objects scanned: 127180

Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

This was the one I ran last night, when it had stuff to clean:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4252

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/29/2010 12:04:49 AM

mbam-log-2010-06-29 (00-04-49).txt

Scan type: Quick scan

Objects scanned: 127093

Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htanikijira (Trojan.Hiloti) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\config\systemprofile\AppData\Local\miepaCot.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Windows\Temp\dcomcnfga.exe (Spyware.Dybalom) -> Quarantined and deleted successfully.

C:\Windows\Temp\getmaca.exe (Spyware.Dybalom) -> Quarantined and deleted successfully.

C:\Windows\Temp\gquhbyp.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Windows\Temp\timeouta.exe (Spyware.Dybalom) -> Quarantined and deleted successfully.

C:\Windows\Temp\WindowsAnytimeUpgradeResultsb.exe (Spyware.Dybalom) -> Quarantined and deleted successfully.

This is the DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Joe Kata at 16:36:26.29 on Tue 06/29/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2481 [GMT -4:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Windows\system32\AERTSrv.exe

C:\Windows\system32\CSHelper.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\lxdocoms.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\explorer.exe

C:\Users\Joe Kata\Documents\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [Google Update] "c:\users\joe kata\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [<NO NAME>]

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

dRun: [QNB2EB90WX] c:\windows\temp\Frq.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\icq7.2\ICQ.exe

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab

DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab

DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab

DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab

DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab

DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab

DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}

DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\joekat~1\appdata\roaming\mozilla\firefox\profiles\g7l6q1n9.default\

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - component: c:\users\joe kata\appdata\roaming\mozilla\firefox\profiles\g7l6q1n9.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\users\joe kata\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\users\joe kata\appdata\local\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\users\joe kata\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\joe kata\appdata\roaming\mozilla\firefox\profiles\g7l6q1n9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\users\joe kata\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-8 164048]

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 19024]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-8 51792]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-7 40384]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-1-30 266240]

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-7 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-7 40384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 136176]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdoserv.exe [2007-7-17 94208]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-2 1343400]

=============== Created Last 30 ================

2010-06-29 20:32:43 20 ----a-w- c:\users\joe kata\defogger_reenable

2010-06-28 02:50:55 0 d-----w- c:\program files\LeeGTs Games

2010-06-25 03:30:42 0 d-----w- c:\program files\ICQ7.2

2010-06-24 19:48:55 0 d-----w- c:\users\joekat~1\appdata\roaming\FastStone

2010-06-22 16:25:24 0 d-----w- c:\program files\FastStone Capture

2010-06-14 01:13:31 0 d-----w- c:\windows\system32\TVUAx

2010-06-05 17:43:43 0 d-----w- c:\programdata\WorldWinner

2010-06-02 20:51:31 0 d-----w- c:\program files\Astroburn Pro

2010-06-02 20:51:25 0 d-----w- c:\users\joekat~1\appdata\roaming\Astroburn Pro

2010-06-02 20:51:25 0 d-----w- c:\programdata\Astroburn Pro

2010-06-02 20:44:29 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-06-02 20:44:09 0 d-----w- c:\program files\DAEMON Tools Lite

2010-06-02 20:43:39 0 d-----w- c:\users\joekat~1\appdata\roaming\DAEMON Tools Lite

2010-06-02 20:43:36 0 d-----w- c:\programdata\DAEMON Tools Lite

2010-05-31 02:16:14 186772 ----a-w- C:\a.pdf

==================== Find3M ====================

2010-05-29 14:33:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-06 20:34:10 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll

2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-03-16 00:24:10 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2010-01-23 14:57:46 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:37:17.16 ===============

Attach.zip

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Adobe Acrobat 7.0 Professional
  2. BitTornado 0.3.17

You can read, how to this here:

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I need to ask this because I'm curious; I can understand why I needed to uninstall BitTornado, but why did I have to uninstall Adobe Acrobat 7? I've been using that for years without any issue I know of, but is there something wrong with this program in general that I need to be mindful of, and not reinstall it? Or was it that it could have been infected? Thank you for any information you can give on that :-)

Here is my ComboFix Log file :-)

ComboFix 10-06-29.02 - Joe Kata 06/29/2010 17:51:10.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2566 [GMT -4:00]

Running from: c:\users\Joe Kata\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\7Loader.TAG

Infected copy of c:\windows\system32\drivers\volmgrx.sys was found and disinfected

Restored copy from - Kitty had a snack :D

.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))

.

2010-06-29 21:58 . 2010-06-29 21:58 -------- d-----w- c:\users\Joe Kata\AppData\Local\temp

2010-06-29 21:58 . 2010-06-29 21:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-06-29 21:47 . 2010-06-29 21:47 -------- d-----w- C:\32788R22FWJFW

2010-06-28 18:51 . 2010-06-28 18:51 1056768 ----a-w- c:\programdata\WorldWinner\plantsvzombies\plantsvzombies.dll

2010-06-27 16:15 . 2010-06-27 16:15 401408 ----a-w- c:\programdata\WorldWinner\swapit\swapit.dll

2010-06-27 05:26 . 2010-06-27 05:26 618496 ----a-w- c:\programdata\WorldWinner\familyfeud2\familyfeud2.dll

2010-06-25 03:30 . 2010-06-25 03:30 -------- d-----w- c:\users\Joe Kata\AppData\Local\AOL

2010-06-25 03:30 . 2010-06-25 03:31 -------- d-----w- c:\program files\ICQ7.2

2010-06-24 19:48 . 2010-06-24 19:48 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\FastStone

2010-06-22 16:25 . 2010-06-22 16:25 -------- d-----w- c:\program files\FastStone Capture

2010-06-18 16:41 . 2010-05-25 23:07 65536 ----a-w- c:\users\Joe Kata\AppData\Roaming\Mozilla\Firefox\Profiles\g7l6q1n9.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

2010-06-14 01:13 . 2010-06-14 01:13 -------- d-----w- c:\windows\system32\TVUAx

2010-06-05 18:16 . 2010-06-05 18:16 339968 ----a-w- c:\programdata\WorldWinner\dealornodeal\dealornodeal.dll

2010-06-05 17:55 . 2010-06-05 17:55 356352 ----a-w- c:\programdata\WorldWinner\solitairerush\solitairerush.dll

2010-06-05 17:43 . 2010-02-16 21:29 137216 ----a-w- c:\programdata\WorldWinner\shared\fmod.dll

2010-06-05 17:43 . 2010-06-05 17:43 532480 ----a-w- c:\programdata\WorldWinner\bejeweled\bejeweled.dll

2010-06-05 17:43 . 2010-06-28 18:51 -------- d-----w- c:\programdata\WorldWinner

2010-06-02 20:51 . 2010-06-02 20:51 -------- d-----w- c:\program files\Astroburn Pro

2010-06-02 20:51 . 2010-06-02 20:51 -------- d-----w- c:\programdata\Astroburn Pro

2010-06-02 20:51 . 2010-06-02 20:51 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\Astroburn Pro

2010-06-02 20:44 . 2010-06-02 20:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-06-02 20:44 . 2010-06-02 20:44 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-06-02 20:43 . 2010-06-02 20:47 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\DAEMON Tools Lite

2010-06-02 20:43 . 2010-06-02 20:43 -------- d-----w- c:\programdata\DAEMON Tools Lite

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-29 21:45 . 2009-12-08 21:29 61736 ----a-w- c:\users\Joe Kata\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-29 21:36 . 2009-12-09 05:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-29 18:30 . 2009-12-09 05:31 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\vlc

2010-06-28 14:12 . 2010-04-15 17:55 -------- d-----w- c:\programdata\PopCap Games

2010-06-28 04:51 . 2009-12-11 16:44 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\uTorrent

2010-06-28 02:54 . 2010-04-16 14:44 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\dvdcss

2010-06-26 18:42 . 2009-12-09 05:13 1 ----a-w- c:\users\Joe Kata\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-06-25 12:39 . 2009-12-09 04:50 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\ICQ

2010-06-25 03:30 . 2009-12-09 04:51 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-05 03:39 . 2009-12-11 23:05 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-30 06:41 . 2009-12-09 04:45 -------- d-----w- c:\program files\CCleaner

2010-05-29 14:34 . 2010-05-29 14:34 -------- d-----w- c:\programdata\PC Suite

2010-05-29 14:34 . 2010-05-29 14:34 -------- d-----w- c:\users\Joe Kata\AppData\Roaming\PC Suite

2010-05-29 14:33 . 2010-05-29 14:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf

2010-05-29 14:30 . 2010-05-29 14:30 -------- d-----w- c:\programdata\Nokia

2010-05-29 02:56 . 2010-05-29 02:56 -------- d-----w- c:\program files\DIFX

2010-05-29 02:56 . 2010-05-29 02:56 -------- d-----w- c:\program files\PC Connectivity Solution

2010-05-29 02:55 . 2010-05-29 02:53 -------- d-----w- c:\program files\Nokia

2010-05-29 02:53 . 2010-05-29 02:53 -------- d-----w- c:\program files\Common Files\Nokia

2010-05-29 02:53 . 2010-05-29 02:53 36864 ----a-w- c:\programdata\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe

2010-05-29 02:53 . 2010-05-29 02:53 3351812 ----a-w- c:\programdata\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe

2010-05-29 02:53 . 2010-05-29 02:53 3203453 ----a-w- c:\programdata\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe

2010-05-29 02:53 . 2010-05-29 02:53 -------- d-----w- c:\programdata\Installations

2010-05-29 02:53 . 2010-05-29 02:53 35618008 ----a-w- c:\programdata\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en_us.exe

2010-05-26 23:43 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail

2010-05-21 18:14 . 2009-12-08 22:20 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-08 15:15 . 2010-04-27 17:10 -------- d-----w- c:\program files\Google

2010-05-07 16:55 . 2010-05-07 16:55 255472 ----a-w- c:\users\Joe Kata\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

2010-05-06 20:59 . 2009-12-08 22:13 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-06 20:39 . 2009-12-08 22:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-06 20:39 . 2009-12-08 22:13 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-06 20:34 . 2009-12-08 22:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-06 20:34 . 2009-12-08 22:13 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-05-06 20:33 . 2009-12-08 22:13 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-03 03:43 . 2010-05-03 03:43 -------- d-----w- c:\program files\avisplit

2010-05-02 17:36 . 2010-05-02 17:36 -------- d-----w- c:\program files\Free M4a to MP3 Converter

2010-05-02 14:23 . 2009-12-09 05:09 -------- d-----w- c:\program files\Java

2010-04-29 19:39 . 2009-12-09 04:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-12-09 04:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-23 10:22 . 2010-04-23 10:22 2898232 ----a-w- c:\users\Joe Kata\AppData\Roaming\Mozilla\Firefox\Profiles\g7l6q1n9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

2010-04-23 07:13 . 2010-05-26 23:43 2048 ----a-w- c:\windows\system32\tzres.dll

2010-04-14 16:47 . 2009-12-08 22:13 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-04-12 21:29 . 2010-05-02 14:23 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-11 02:59 . 2010-04-11 02:59 5514304 ----a-w- c:\users\Joe Kata\AppData\Roaming\TVU Networks\AutoUpgrade\TVUPlayer2.5.2.2.exe

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

"Google Update"="c:\users\Joe Kata\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-02-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2009-12-04 1309712]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-12-04 12:07 57856 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LoopBe1 Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\LoopBe1 Monitor.lnk

backup=c:\windows\pss\LoopBe1 Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TMMonitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\TMMonitor.lnk

backup=c:\windows\pss\TMMonitor.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Joe Kata^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\users\Joe Kata\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 9500 Series Fax Server]

2009-07-07 17:37 311976 ----a-w- c:\program files\Lexmark 9500 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdoamon]

2009-07-07 17:37 25256 ----a-w- c:\program files\Lexmark 9500 Series\lxdoamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdomon.exe]

2009-07-07 17:37 455336 ----a-w- c:\program files\Lexmark 9500 Series\lxdomon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV IR]

2008-09-19 03:43 20480 ----a-w- c:\program files\TV IR\CallApp.exe

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-01-30 266240]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]

R2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [2007-07-17 94208]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-02 691696]

S1 aswSP;aswSP; [x]

S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]

S2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe [2007-09-20 589824]

.

Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 04:20]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 04:20]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3959221499-805834505-2326888431-1000Core.job

- c:\users\Joe Kata\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-02 21:09]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3959221499-805834505-2326888431-1000UA.job

- c:\users\Joe Kata\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-02 21:09]

.

.

------- Supplementary Scan -------

.

IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe

DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab

DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab

DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}

FF - ProfilePath - c:\users\Joe Kata\AppData\Roaming\Mozilla\Firefox\Profiles\g7l6q1n9.default\

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - component: c:\users\Joe Kata\AppData\Roaming\Mozilla\Firefox\Profiles\g7l6q1n9.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\users\Joe Kata\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\users\Joe Kata\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\users\Joe Kata\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\users\Joe Kata\AppData\Roaming\Mozilla\Firefox\Profiles\g7l6q1n9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\users\Joe Kata\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-06-29 18:02:46

ComboFix-quarantined-files.txt 2010-06-29 22:02

ComboFix2.txt 2009-12-04 17:57

ComboFix3.txt 2009-12-03 20:57

ComboFix4.txt 2009-12-03 17:18

Pre-Run: 61,787,365,376 bytes free

Post-Run: 61,546,876,928 bytes free

- - End Of File - - 99F5DF381CEF34136645E6081C10FBC9

Link to post
Share on other sites

I'm not currently having any redirect issues through Google, and nothing's popped up yet. I was even able to update Windows now, and Google Chrome works too. However, I still can't update Avast through the program. It gives me an "error: cannot connect to server" message. Is there anything you could advise for that? Also, is it safe to reinstall Adobe Acrobat now? I didn't know what the problem was before.

Link to post
Share on other sites

I just figured out a workaround for the Avast problem I was having. I think it was related originally to the Malware or whatever I had on my computer, but now that it seems to be gone, I was able to fix that myself. Please tell me if it is still safe to reinstall Adobe Acrobat 7.0 though. Thanks for your help!

Link to post
Share on other sites

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

That literally took a day to scan. Wow. Here is the Dr. Web log

8BBC6AD2d01\gziped.gz C:\Documents and Settings\Joe Kata\AppData\Local\Application Data\Mozilla\Firefox\Profiles\g7l6q1n9.default\Cache\8BBC6AD2d01 Probably SCRIPT.Virus

8BBC6AD2d01 C:\Documents and Settings\Joe Kata\AppData\Local\Application Data\Mozilla\Firefox\Profiles\g7l6q1n9.default\Cache Archive contains infected objects Moved.

1dd6a40c-777a2a2c\________vload.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-777a2a2c Exploit.Java.45

1dd6a40c-777a2a2c\vmain.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-777a2a2c Exploit.Java.45

1dd6a40c-777a2a2c C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 Archive contains infected objects Moved.

491d2350-26949720\AppletPanel.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\491d2350-26949720 Java.Dropper.3

491d2350-26949720\Main.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\491d2350-26949720 Java.Siggen.2

491d2350-26949720 C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 Archive contains infected objects Moved.

20bdd891-11037a69\F.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\20bdd891-11037a69 Exploit.Java.47

20bdd891-11037a69\Google.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\20bdd891-11037a69 Exploit.Java.47

20bdd891-11037a69 C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 Archive contains infected objects Moved.

e649f74-7ac6311d\________vload.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-7ac6311d Exploit.Java.45

e649f74-7ac6311d\vmain.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-7ac6311d Exploit.Java.45

e649f74-7ac6311d C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 Archive contains infected objects Moved.

53d361fc-7142b7a4\lorry/Cloners.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4\lorry/Debuggr.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4\lorry/Patchers.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4 C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 Archive contains infected objects Moved.

18364cfd-69ba59c6\myf/y/AppletX.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6\myf/y/LoaderX.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6\myf/y/NbablaF.class C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6 C:\Documents and Settings\Joe Kata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 Archive contains infected objects Moved.

18364cfd-69ba59c6\myf/y/AppletX.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6\myf/y/LoaderX.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6\myf/y/NbablaF.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\18364cfd-69ba59c6 Exploit.CVE2008.5353

18364cfd-69ba59c6 C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

1dd6a40c-777a2a2c\________vload.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\1dd6a40c-777a2a2c Exploit.Java.45

1dd6a40c-777a2a2c\vmain.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\1dd6a40c-777a2a2c Exploit.Java.45

1dd6a40c-777a2a2c C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

20bdd891-11037a69\F.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\20bdd891-11037a69 Exploit.Java.47

20bdd891-11037a69\Google.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\20bdd891-11037a69 Exploit.Java.47

20bdd891-11037a69 C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

491d2350-26949720\AppletPanel.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\491d2350-26949720 Java.Dropper.3

491d2350-26949720\Main.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\491d2350-26949720 Java.Siggen.2

491d2350-26949720 C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

53d361fc-7142b7a4\lorry/Cloners.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4\lorry/Debuggr.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4\lorry/Patchers.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\53d361fc-7142b7a4 Exploit.Java.46

53d361fc-7142b7a4 C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

8BBC6AD2d01\gziped.gz C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\8BBC6AD2d01 Probably SCRIPT.Virus

8BBC6AD2d01 C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

e649f74-7ac6311d\________vload.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\e649f74-7ac6311d Exploit.Java.45

e649f74-7ac6311d\vmain.class C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine\e649f74-7ac6311d Exploit.Java.45

e649f74-7ac6311d C:\Documents and Settings\Joe Kata\DoctorWeb\Quarantine Archive contains infected objects Moved.

popcaploader.dll.vir C:\Qoobox\Quarantine\C\Windows\Downloaded Program Files Program.PopcapLoader Moved.

volmgrx.sys.vir C:\Qoobox\Quarantine\C\Windows\System32\drivers BackDoor.Tdss.2459 Cured.

4bb348e2-7e47a967\myf/y/AppletX.class C:\Windows.old.000\Documents and Settings\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967\myf/y/LoaderX.class C:\Windows.old.000\Documents and Settings\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967\myf/y/PayloadX.class C:\Windows.old.000\Documents and Settings\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967 C:\Windows.old.000\Documents and Settings\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 Archive contains infected objects Moved.

4bb348e2-7e47a967\myf/y/AppletX.class F:\Desktop HD\Users\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967\myf/y/LoaderX.class F:\Desktop HD\Users\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967\myf/y/PayloadX.class F:\Desktop HD\Users\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\4bb348e2-7e47a967 Exploit.CVE2008.5353

4bb348e2-7e47a967 F:\Desktop HD\Users\jdkata\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 Archive contains infected objects Moved.

popcaploader.dll F:\Desktop HD\Windows\Downloaded Program Files Program.PopcapLoader Moved.

setup.exe F:\External HD\Entire Old HD\Documents and Settings\All Users\Application Data\AOL\SUDS\REMOVABLE\3700.5.15 Probably BACKDOOR.Trojan

Link to post
Share on other sites

If you still have a problem, you should re-install it and perform a full scan.

I no longer have a problem, that's why I said it was working just fine now. I mentioned that I fixed it a couple of posts back. Thank you for your help :-) Now, may I reinstall Acrobat?

Link to post
Share on other sites

Good! :)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, Dr.Web Cure It, DDS and GMER.

Step 4

Please download and install the latest version of Adobe Acrobat from:

www.adobe.com

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.