mrdrae Posted August 15, 2010 ID:300714 Share Posted August 15, 2010 Last week I came home and found many blank windows open on my PC. The sound was disabled and the task manager was disabled. I managed to close all of the windows and I went to run Malwarebytes but the icon was missing off of my desktop. I downloaded Malwarebytes but I was unable to update it. I ran it anyway and it found 2 items and cleaned them. I then noticed that the shutdown button was missing from my profile and I could not shutdown or restart through the task manager. I need assistance. I ran the DeFogger but it did not ask to reboot so I pushed the power button for a hard reboot. When restarted I saw the defogger_disable file on my desktop. I did not know if I should continue with the other instructions or post the log so here is the defogger log.defogger_disable by jpshortstuff (23.02.10.1)Log created at 08:53 on 15/08/2010 (Willie Rose)Checking for autostart values...HKCU\~\Run values retrieved.HKLM\~\Run values retrieved.Checking for services/drivers...-=E.O.F=- Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301425 Share Posted August 17, 2010 Hello mrdrae! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Yes, please continue with the other instructions. Link to post Share on other sites More sharing options...
mrdrae Posted August 19, 2010 Author ID:302204 Share Posted August 19, 2010 OK everything is done except GMER. It froze the first time. I am running it now but it seems to be taking forever. I'll send as soon as its finished. Thanks Hello mrdrae! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Yes, please continue with the other instructions. Link to post Share on other sites More sharing options...
mrdrae Posted August 19, 2010 Author ID:302613 Share Posted August 19, 2010 GMER would not complete without freezing. I ran it in safe mode and included it in the zip file. There is not as much info as when it was runing in regular mode. DDSDDS (Ver_10-03-17.01) - NTFSx86 Run by Willie Rose at 6:08:46.06 on Wed 08/18/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2703 [GMT -5:00]AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\WgaTray.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvraidservice.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exeC:\WINDOWS\Samsung\PanelMgr\ssmmgr.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exeC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeC:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Program Files\Mozilla Firefox\firefox.exesvchost.exeC:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\CA\PPRT\bin\ITMRTSVC.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exeC:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXEC:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeC:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXEC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exe -k vvdsvcC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\WINDOWS\system32\msfeedssync.exeC:\Documents and Settings\Willie Rose\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.comcast.net/uWindow Title = Windows Internet Explorer provided by ComcastmStart Page = hxxp://www.comcast.net/mWindow Title = Windows Internet Explorer provided by ComcastuInternet Connection Wizard,ShellNext = iexploreBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLLBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dllBHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dllTB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dllTB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dllTB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dllTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hideuRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"mRun: [NVRaidService] c:\windows\system32\nvraidservice.exemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resumemRun: [NSWosCheck] "c:\program files\norton systemworks basic edition\osCheck.exe"mRun: [NswUiTray] c:\program files\norton systemworks basic edition\NswUiTray.exemRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorunmRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupStartupFolder: c:\docume~1\willie~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\youtub~1.lnk - c:\program files\casio\youtube uploader for casio\YStart.exeuPolicies-explorer: NoChangeStartMenu = 1 (0x1)uPolicies-explorer: NoClose = 1 (0x1)uPolicies-explorer: NoLogOff = 1 (0x1)IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnkIE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLLSP: %SYSTEMROOT%\system32\nvappfilter.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllNotify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\willie~1\applic~1\mozilla\firefox\profiles\6tzudq62.default\FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dllFF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dllFF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\virtual earth 3d\npVE3D.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-7-4 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-7-4 173104]R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100719.001\BHDrvx86.sys [2010-7-19 692272]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-7-4 501888]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-7-4 116784]R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-7-4 126392]R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~3\norton~1\NPROTECT.EXE [2008-9-25 95600]R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100813.004\IDSXpx86.sys [2010-8-14 331640]S?2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100816.016\NAVENG.SYS [2010-8-16 85424]S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100816.016\NAVEX15.SYS [2010-8-16 1362608]S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2009-8-17 127656]=============== Created Last 30 ================2010-08-15 13:52:08 0 ----a-w- c:\documents and settings\willie rose\defogger_reenable2010-08-15 00:02:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-08-15 00:02:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-08-15 00:02:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-08-12 11:36:56 0 d--h--w- c:\windows\system32\GroupPolicy2010-08-11 21:40:56 0 d-----w- c:\docume~1\willie~1\applic~1\Malwarebytes2010-08-11 21:40:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-07-29 01:58:03 729161 ----a-w- c:\windows\system32\fpimage.dll2010-07-29 01:58:03 1410704 ----a-w- c:\windows\system32\FPSPR70.ocx2010-07-29 01:58:02 0 d-----w- c:\program files\Respondus LockDown Browser==================== Find3M ====================2010-07-04 19:26:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF2010-07-04 19:26:27 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT2010-07-04 19:26:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL2010-07-04 19:26:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll============= FINISH: 6:11:11.68 ===============Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4430Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/14/2010 8:50:35 PMmbam-log-2010-08-14 (20-50-35).txtScan type: Full scan (C:\|D:\|)Objects scanned: 236826Time elapsed: 47 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)attachandark.zip Link to post Share on other sites More sharing options...
Maniac Posted August 19, 2010 ID:302625 Share Posted August 19, 2010 Step 1Please, uninstall the following applications:Adobe Reader 9.3.3You can read, how to do this here:Windows XPWindows VistaWindows 7Step 2Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAThen run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Windows\SunC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaStep 3Going over your logs I noticed that you have Link to post Share on other sites More sharing options...
mrdrae Posted August 21, 2010 Author ID:303093 Share Posted August 21, 2010 JavaRa 1.16 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Aug 20 18:13:15 2010Found and removed: C:\Documents and Settings\Willie Rose\Application Data\Sun\Java\jre1.6.0_17Found and removed: Software\Classes\JavaPlugin.160_20------------------------------------Finished reporting.ComboFix 10-08-19.02 - Willie Rose 08/20/2010 18:37:30.1.4 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2513 [GMT -5:00]Running from: c:\documents and settings\Willie Rose\Desktop\Combo-Fix.exeAV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Downloaded Program Files\popcaploader.inf.((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 ))))))))))))))))))))))))))))))).2010-08-15 00:36 . 2010-08-15 00:36 -------- d-----w- c:\documents and settings\Willie Rose Jr\Application Data\comcasttb2010-08-15 00:02 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-08-15 00:02 . 2010-08-15 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-08-15 00:02 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-08-14 23:18 . 2010-08-14 23:18 -------- d-----w- c:\documents and settings\Willie Rose Jr\Application Data\Malwarebytes2010-08-12 11:36 . 2010-08-12 11:36 -------- d--h--w- c:\windows\system32\GroupPolicy2010-08-11 21:40 . 2010-08-15 00:36 -------- d-----w- c:\documents and settings\Willie Rose\Application Data\Malwarebytes2010-08-11 21:40 . 2010-08-15 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-07-29 01:58 . 2006-01-04 18:04 729161 ----a-w- c:\windows\system32\fpimage.dll2010-07-29 01:58 . 2010-07-29 01:58 -------- d-----w- c:\program files\Respondus LockDown Browser.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-08-20 23:23 . 2009-08-19 23:22 -------- d-----w- c:\documents and settings\Willie Rose\Application Data\uTorrent2010-08-13 08:04 . 2009-08-17 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2010-08-09 23:07 . 2009-08-17 14:06 -------- d-----w- c:\program files\Norton SystemWorks Basic Edition2010-07-31 20:11 . 2010-07-04 18:29 -------- d-----w- c:\documents and settings\Willie Rose\Application Data\CallingID2010-07-29 01:58 . 2009-08-16 23:42 -------- d--h--w- c:\program files\InstallShield Installation Information2010-07-24 11:49 . 2010-06-05 11:49 664 ----a-w- c:\documents and settings\Willie Rose Jr\Local Settings\Application Data\d3d9caps.dat2010-07-09 05:11 . 2010-06-24 01:11 664 ----a-w- c:\documents and settings\Ann Rose\Local Settings\Application Data\d3d9caps.dat2010-07-05 16:26 . 2009-08-17 02:54 -------- d-----w- c:\program files\Common Files\Symantec Shared2010-07-04 19:46 . 2009-08-16 23:42 -------- d-----w- c:\program files\NVIDIA Corporation2010-07-04 19:46 . 2010-07-04 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation2010-07-04 19:26 . 2009-08-17 02:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF2010-07-04 19:26 . 2009-08-17 02:54 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT2010-07-04 19:26 . 2009-08-17 02:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL2010-07-04 19:26 . 2009-08-17 02:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2010-07-04 19:26 . 2009-08-17 02:54 -------- d-----w- c:\program files\Symantec2010-07-04 19:26 . 2010-07-04 19:26 -------- d-----w- c:\program files\Norton Security Suite2010-07-04 19:26 . 2010-07-04 19:26 -------- d-----w- c:\program files\Windows Sidebar2010-07-04 19:26 . 2009-08-17 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton2010-07-04 19:21 . 2010-07-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings2010-07-04 19:21 . 2009-08-17 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller2010-07-04 19:19 . 2010-07-04 18:28 -------- d-----w- c:\documents and settings\Willie Rose\Application Data\comcasttb2010-07-04 18:29 . 2010-07-04 18:28 -------- d-----w- c:\program files\comcasttb2010-07-04 18:29 . 2010-07-04 18:29 -------- d-----w- c:\program files\Common Files\scanner2010-07-04 18:29 . 2010-07-04 18:29 -------- d-----w- c:\program files\CA2010-07-04 18:27 . 2010-07-04 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft2010-07-04 18:27 . 2010-07-04 18:01 -------- d-----w- c:\program files\Common Files\SupportSoft2010-07-04 18:27 . 2010-07-04 18:27 -------- d-----w- c:\program files\Comcast2010-07-04 18:01 . 2010-07-04 18:01 -------- d-----w- c:\program files\support.com2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll2010-06-24 12:22 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll2010-06-14 14:31 . 2009-08-16 21:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll2010-06-08 11:33 . 2009-08-27 13:42 256 ----a-w- c:\windows\system32\pool.bin.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-07-06 160328][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2008-09-25 160112]"NswUiTray"="c:\program files\Norton SystemWorks Basic Edition\NswUiTray.exe" [2008-09-25 85360]"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-26 198160]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]c:\documents and settings\Ann Rose\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]c:\documents and settings\Willie Rose Jr\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]c:\documents and settings\Willie Rose\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]c:\documents and settings\All Users\Start Menu\Programs\Startup\YouTube Uploader for CASIO.lnk - c:\program files\CASIO\YouTube Uploader for CASIO\YStart.exe [2008-12-9 79808][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoChangeStartMenu"= 1 (0x1)"NoLogOff"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]2009-08-16 23:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\WINDOWS\\system32\\SUPDSvc.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [7/4/2010 4:28 PM 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [7/4/2010 4:28 PM 173104]R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/9/2010 8:11 PM 692272]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [7/4/2010 4:28 PM 501888]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [7/4/2010 4:28 PM 116784]R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [7/4/2010 4:28 PM 126392]R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/19/2010 5:53 PM 102448]R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100818.002\IDSXpx86.sys [8/20/2010 6:13 PM 331640]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 9:27 AM 135664]S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [8/17/2009 12:21 AM 127656]--- Other Services/Drivers In Memory ---*NewlyCreated* - APPMGMT[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]vvdsvc REG_MULTI_SZ vvdsvc.Contents of the 'Scheduled Tasks' folder2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 14:27]2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 14:27]2010-08-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2008-09-25 19:52]2010-08-20 c:\windows\Tasks\User_Feed_Synchronization-{4424D975-1D95-418D-B9C1-31C3E992191E}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.comcast.net/mStart Page = hxxp://www.comcast.net/mWindow Title = Windows Internet Explorer provided by ComcastuInternet Connection Wizard,ShellNext = iexploreIE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlIE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlLSP: %SYSTEMROOT%\system32\nvappfilter.dllFF - ProfilePath - c:\documents and settings\Willie Rose\Application Data\Mozilla\Firefox\Profiles\6tzudq62.default\FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dllFF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dllFF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dllFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);.- - - - ORPHANS REMOVED - - - -WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)AddRemove-Qedoc Quiz Player- Jumanji - c:\windows\system32\javaws.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-08-20 18:41Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(756)c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dllc:\program files\CA\PPRT\bin\CACheck.dllc:\program files\CA\PPRT\bin\CAHook.dllc:\program files\CA\PPRT\bin\CAServer.dll- - - - - - - > 'lsass.exe'(812)c:\windows\system32\nvappfilter.dll.Completion time: 2010-08-20 18:44:02ComboFix-quarantined-files.txt 2010-08-20 23:43Pre-Run: 452,407,177,216 bytes freePost-Run: 452,480,344,064 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - C11991DEB8E26645C8BDB1A1F6DD6A21 Link to post Share on other sites More sharing options...
Maniac Posted August 21, 2010 ID:303316 Share Posted August 21, 2010 Download FixPolicies.exe (by Bill Castner) and save it to your desktop.Double click on FixPolicies.exe to run it.Click on Install. It will create a folder named FixPolicies on your desktop.Open the FixPolicies folder.Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.Let me know how are things now. Link to post Share on other sites More sharing options...
mrdrae Posted August 21, 2010 Author ID:303406 Share Posted August 21, 2010 Things seem to back to normal. I had to restore my bookmarks in Firefox from a backup made 8/11. That seems to be the only issue. I am curious as to what type of malware hit me and if any information stored on my computer was compromised. Do you have any idea? Link to post Share on other sites More sharing options...
Maniac Posted August 21, 2010 ID:303445 Share Posted August 21, 2010 Your problem is not due to malware. I don't know what's going on with your PC. Any other problem? Link to post Share on other sites More sharing options...
mrdrae Posted August 21, 2010 Author ID:303476 Share Posted August 21, 2010 Not even a trojan horse? wow I wonder what it could have been. Things seem to be back to normal. You think I can trust it? Link to post Share on other sites More sharing options...
Maniac Posted August 22, 2010 ID:303658 Share Posted August 22, 2010 Yes, you can. Last steps:Step 1* Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Step 2To enable CD Emulation programs using DeFogger please perform these steps: Please download DeFogger to your desktop. Once downloaded, double-click on the DeFogger icon to start the tool. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers When it prompts you whether or not you want to continue, please click on the Yes button to continue When the program has completed you will see a Finished! message. Click on the OK button to exit the program. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.Step 3Please manually delete Defogger, FixPolicies, JavaRa, DDS and GMER.Step 4Please download and install the latest version of Adobe Reader from:www.adobe.comAbout Java:www.java.com/enStep 5Some malware preventions:http://forums.malwarebytes.org/index.php?showtopic=9365Safe surfing! Link to post Share on other sites More sharing options...
mrdrae Posted August 23, 2010 Author ID:304002 Share Posted August 23, 2010 Thanks for helping me remove the problem I was having with my computer. I received a link to Jason Levine's Browser Security Tests for the final test but it does not work. Does anyone have an updated link to the test? Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2010 Staff ID:306458 Share Posted August 29, 2010 That site seems to be abandoned.You could try this test instead:http://bcheck.scanit.be/bcheck/I will close this thread since the issue is resolved. Link to post Share on other sites More sharing options...
Recommended Posts