Jump to content

Attempts to attack pc


Recommended Posts

Norton tells me this.

"An intrusion attempt by li1i16b0.com was blocked. Application path \device\harddiskvolume2\windows\system32\svchost.exe"

I have done the steps required in the pinned "start here"

Help Please, the results are as follows.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Allen at 22:52:26.09 on Mon 07/26/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.153 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

svchost.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Allen\My Documents\Downloads\Defogger.exe

C:\Documents and Settings\Allen\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MoneyBackgoundBanking] "c:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\allen\applic~1\mozilla\firefox\profiles\4lxow7bn.default\

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-2 64160]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-16 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-16 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-16 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100723.001\IDSXpx86.sys [2010-7-26 331640]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100726.023\NAVENG.SYS [2010-7-26 85424]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100726.023\NAVEX15.SYS [2010-7-26 1362608]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-16 117640]

=============== Created Last 30 ================

2010-07-27 02:48:09 0 ----a-w- c:\documents and settings\allen\defogger_reenable

2010-07-17 04:46:12 54156 ---ha-w- c:\windows\QTFont.qfn

2010-07-17 04:46:12 1409 ----a-w- c:\windows\QTFont.for

2010-07-17 04:40:32 0 d-----w- c:\program files\CCleaner

2010-07-17 03:34:39 0 d-----w- c:\docume~1\allen\applic~1\Malwarebytes

2010-07-17 03:34:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-17 03:34:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-17 03:34:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-17 03:34:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 22:54:28.23 ===============

ark.zip

Link to post
Share on other sites

Hi and welcome to the Malwarebytes forums. :lol:

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.

NOTE: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.

===========================================================

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper

Link to post
Share on other sites

Thank you for responding, and your help. Log from combofix is as follows.

ComboFix 10-07-30.01 - Allen 07/31/2010 0:47.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.291 [GMT -4:00]

Running from: c:\documents and settings\Allen\Desktop\ComboFix.exe

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\settings.reg

c:\windows\system32\Data

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))

.

2010-07-17 04:40 . 2010-07-17 04:40 -------- d-----w- c:\program files\CCleaner

2010-07-17 03:34 . 2010-07-17 03:34 -------- d-----w- c:\documents and settings\Allen\Application Data\Malwarebytes

2010-07-17 03:34 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-17 03:34 . 2010-07-17 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-17 03:34 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-17 03:34 . 2010-07-17 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-17 13:11 . 2005-07-22 19:49 -------- d-----w- c:\program files\Sonic

2010-07-17 12:48 . 2005-07-22 19:43 -------- d-----w- c:\program files\Jasc Software Inc

2010-07-17 12:37 . 2009-06-13 13:16 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-07-17 12:37 . 2009-06-13 13:16 -------- d-----w- c:\program files\ArcSoft

2010-07-17 12:37 . 2005-07-22 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-06 22:24 . 2010-07-07 11:28 154954 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat

2010-07-05 16:13 . 2009-03-13 00:02 -------- d-----w- c:\documents and settings\Allen\Application Data\AdobeUM

2010-06-23 11:45 . 2010-06-23 11:45 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1A.tmp.exe

2010-05-13 21:38 . 2009-03-02 17:18 46416 ----a-w- c:\documents and settings\Allen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2009-03-02 18:08 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-05 39408]

"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"P17Helper"="P17.dll" [2004-06-10 60928]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-22 98304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-22 24576]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

"mmtask"=c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 2:00 PM 64160]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/16/2010 10:36 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/16/2010 10:36 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/16/2010 10:36 PM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100729.001\IDSXpx86.sys [7/30/2010 6:05 PM 331640]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/16/2010 10:36 PM 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 12:08 PM 102448]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:35 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 18:00]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 02:34]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 02:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\4lxow7bn.default\

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-31 00:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

.

Completion time: 2010-07-31 00:59:09

ComboFix-quarantined-files.txt 2010-07-31 04:59

Pre-Run: 50,674,458,624 bytes free

Post-Run: 51,750,637,568 bytes free

- - End Of File - - 6B9A8A05E09D56C52768A5603E1D4B

Link to post
Share on other sites

Hi

Can you please navigate to, and post the contents of; C:\Qoobox\ComboFix-quarantined-files.txt and give me an update on whether you are recieving the alerts from Norton.

Update Adobe Reader

Your Adobe Reader is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader 9.3 to your PC's desktop.

  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Reader 6.0.1
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 9.3.3
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u21-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2_03
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: EOLS1.gif
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt

[*]Copy and paste that log as a reply to this topic.

[*]Now click on: EOLS4.gif (Selecting Uninstall application on close if you so wish)

In your next reply:

  1. ComboFix-quarantined-files.txt
  2. ESET scan log

Link to post
Share on other sites

I have not gotten the notifications, but the a/v has been disabled, so I would not know.

The two logs are pasted

2010-07-31 04:52:25 . 2010-07-31 04:52:25 7,840 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-07-30 22:34:46 . 2010-07-31 04:47:56 184 ----a-w- C:\Qoobox\Quarantine\catchme.log

2005-07-22 19:40:45 . 2004-06-10 20:37:00 11,766 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SETTINGS.REG.vir

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=7219bf0756886b42ac9fc9b1d456c13e

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-07-31 03:42:30

# local_time=2010-07-31 11:42:30 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3587 16777189 100 94 1445624 16486156 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=48084

# found=1

# cleaned=0

# scan_time=2246

C:\Qoobox\32788R22FWJFW\ftdisk.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

Hi

You can re- enable Norton, if you haven't already. Let me know how things are running. I think you should no longer be receiving the notifications.

Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.
    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.

Failure to reboot will prevent MBAM from removing all the malware.

Link to post
Share on other sites

Hi

You can re- enable Norton, if you haven't already. Let me know how things are running. I think you should no longer be receiving the notifications.

Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.
    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.

Failure to reboot will prevent MBAM from removing all the malware.

I have re enabled norton, and am awaiting any notifications.

Presently running malwarebytes. will this address the trojan found by eset?

Link to post
Share on other sites

No threats detected.

alwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4374

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7/31/2010 12:46:38 PM

mbam-log-2010-07-31 (12-46-38).txt

Scan type: Quick scan

Objects scanned: 126167

Time elapsed: 10 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

As of 8am this morning, Norton History reported no intrusion attemps on that pc, the only thing I have noticed is that when booting I get the black screen option during boot up.

Will we address this, or will the end user have this come up every time the computer starts. It is relatively quick, and you cannot easily make the choice for the recovery option, just not sure if we were removing it.

Link to post
Share on other sites

To extend the Timeout value:

  • Go to Start > Run and enter MSConfig > click OK
  • Click the boot.ini tab
  • Change the timeout value to a value of your choice in seconds (image below shows 6 seconds)
  • Click Apply > Close
  • You will be prompted to restar for the changes to take effect.

MSConfig_Boot_Timeout.png

I am doing this repair for a non techie kind of friend. :P

Then you must inform them that computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Windows Rootkits

How do I respond to a possible identity theft and how do I prevent it

=============================================

Your log now appears to be clean.

Your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below.

DeFogger Re-enable

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    combofix.png
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.

OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Protection Programs

Don't forget to re-enable any protection programs we disabled during your fix.

====================================================================

General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

[Please note that trial pay is not needed to get any product for free.]

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Link to post
Share on other sites

To extend the Timeout value:

  • Go to Start > Run and enter MSConfig > click OK
  • Click the boot.ini tab
  • Change the timeout value to a value of your choice in seconds (image below shows 6 seconds)
  • Click Apply > Close
  • You will be prompted to restar for the changes to take effect.

MSConfig_Boot_Timeout.png

Then you must inform them that computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Windows Rootkits

How do I respond to a possible identity theft and how do I prevent it

=============================================

Your log now appears to be clean.

Your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below.

DeFogger Re-enable

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    combofix.png
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.

OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Protection Programs

Don't forget to re-enable any protection programs we disabled during your fix.

====================================================================

General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

[Please note that trial pay is not needed to get any product for free.]

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

hmmm, i see that the picture is set on 6 seconds... my lpatop is really slow for some reason and i checked and it showed it was on 30 seconds... should i change it?? and what do those seconds do?!?!?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.