Jump to content

Need help finishing the job


Recommended Posts

So I got that nasty Antivirus IS trojan that basically took over my system. Warnings constantly, couldn't load any webpages, any attempt to close errors took me to a "helpful" website where I could supply my credit card info for their fake anti-virus program. Ah, extortion in the 21st century.

Anyway, I read some of the ideas here and tried implementing them. I searched the registry for some of the more damning files, and downloaded process explorer. Using process explorer, I found something called "acupblrlanw.exe" that was causing the fake errors and preventing me from running programs. Searching the registry, I found the processes that were running some of the trojan scripts and killed them. Disabling the proxy server on Firefox allowed me to use that again as well.

I ran Malwarebytes a few times, got some mismatched files, and it deleted them (this was after I was finally able to update Malwarebytes). Unfortunately, whatever is clogging my internet is still active. Firefox works, but Chrome and IE can't connect to anything. iTunes can't connect to the iTunes store (says the connection "timed out") but Steam works just fine. Can you guys help? I still have malware, even if I stopped the more annoying aspects of it, but Malwarebytes isn't finding anything.

ComboFix Log to follow....

-------------------

ComboFix 10-09-30.03 - Owner 09/30/2010 22:37:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1571 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\Owner\GoToAssistDownloadHelper.exe

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}\chrome\content\c.js

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}\chrome\content\overlay.xul

c:\documents and settings\Owner\Local Settings\Application Data\{9A689F56-8092-42DB-9632-E03A3F51C705}\install.rdf

c:\documents and settings\Owner\Recent\Thumbs.db

c:\windows\Downloaded Program Files\popcaploader.inf

.

((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))

.

2010-10-01 02:37 . 2010-10-01 02:37 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS

2010-10-01 00:48 . 2010-10-01 00:48 -------- d-----w- c:\program files\FileASSASSIN

2010-09-30 04:18 . 2010-09-30 04:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-30 04:08 . 2010-09-30 10:22 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-30 04:04 . 2010-09-30 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-29 23:41 . 2010-09-29 23:41 -------- d-----w- C:\found.001

2010-09-17 13:29 . 2010-09-17 13:29 81601680 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{N360S_NUC_prod_1.19_4.1.0.32}\symcdefs.exe

2010-09-12 07:08 . 2010-09-12 07:08 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help

2010-09-10 21:45 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-09-10 21:45 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-09-10 21:40 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-09-10 21:40 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2010-09-10 21:39 . 2010-09-12 07:07 -------- d-----w- c:\program files\Microsoft Works

2010-09-10 21:38 . 2010-09-10 21:38 -------- d-----w- c:\program files\Microsoft.NET

2010-09-10 21:35 . 2010-09-10 21:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help

2010-09-10 21:35 . 2010-09-15 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-04 16:22 . 2010-09-04 16:22 -------- d-----w- c:\program files\iPod

2010-09-04 16:22 . 2010-09-04 16:23 -------- d-----w- c:\program files\iTunes

2010-09-04 16:18 . 2010-09-04 16:19 -------- d-----w- c:\program files\QuickTime

2010-09-04 16:12 . 2010-09-04 16:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-01 03:00 . 2007-07-20 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2

2010-10-01 03:00 . 2007-08-20 17:45 -------- d-----w- c:\program files\Steam

2010-10-01 03:00 . 2007-12-07 20:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-09-30 21:36 . 2009-08-09 01:53 -------- d-----w- c:\program files\Electronic Arts

2010-09-30 00:31 . 2009-01-13 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-29 23:44 . 2009-01-13 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-09-29 23:32 . 2007-09-23 19:19 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent

2010-09-29 22:00 . 2007-12-02 20:45 -------- d-----w- c:\program files\Norton Security Scan

2010-09-26 19:44 . 2009-09-15 21:44 43052 ---ha-w- c:\windows\system32\mlfcache.dat

2010-09-18 00:57 . 2010-04-29 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-09-16 22:45 . 2007-07-17 21:02 47168 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-15 07:23 . 2009-12-21 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-09-13 14:44 . 2007-12-30 04:20 -------- d-----w- c:\program files\EA GAMES

2010-09-07 19:40 . 2010-04-29 00:14 1819504 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe

2010-09-04 16:22 . 2007-07-19 19:16 -------- d-----w- c:\program files\Common Files\Apple

2010-08-22 20:41 . 2009-07-19 18:30 -------- d-----w- c:\program files\ScummVM

2010-08-20 11:26 . 2007-07-17 21:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-08 00:27 . 2010-08-08 00:27 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47acac6b-n\decora-sse.dll

2010-08-08 00:27 . 2010-08-08 00:27 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\msvcp71.dll

2010-08-08 00:27 . 2010-08-08 00:27 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\jmc.dll

2010-08-08 00:27 . 2010-08-08 00:27 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\msvcr71.dll

2010-08-08 00:27 . 2010-08-08 00:27 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47acac6b-n\decora-d3d.dll

2010-08-05 21:18 . 2009-08-09 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-08-05 21:18 . 2010-08-05 21:18 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-08-05 21:17 . 2010-09-30 04:03 53632 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-05 21:17 . 2010-08-05 21:18 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 04:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-10 13:16 . 2009-04-12 15:13 38 ----a-w- c:\windows\popcinfot.dat

2009-04-01 02:47 . 2009-01-13 02:41 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2010-08-28 1242448]

"NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2010-09-07 1819504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHELPER

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Steam\\steamapps\\cerclerouge21\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\xcom ufo defense\\dosbox.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\deus ex invisible war\\System\\dx2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv\\Civilization4.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\thief deadly shadows\\System\\runme.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords_PitBoss.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the longest journey\\game.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\deus ex\\System\\DeusEx.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\lumines\\lumines.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\peggle nights\\PeggleNights.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\ghostbusters\\ghost_w32.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fallout\\falloutw.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fallout 2\\FALLOUT2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\vampire the masquerade - bloodlines\\vampire.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dreamfall the longest journey\\dreamfall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Steam\\steamapps\\common\\real myst\\RealMYST.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\riven\\Riven.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dark forces\\DosBox\\dosbox.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/4/2007 5:58 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/30/2010 11:27 AM 102448]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [3/8/2010 5:43 PM 25832]

S3 ZT6688;ZT6688 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ZT6688.sys [7/17/2007 12:38 PM 21376]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/6/2008 10:20 PM 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-29 c:\windows\Tasks\Norton Security Scan for Owner.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

2010-10-01 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:27811

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iyx7oqad.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

BHO-{ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre0.dll

Toolbar-{ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre0.dll

WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - c:\program files\free-downloads.net\tbfre0.dll

SharedTaskScheduler-{41033699-9494-4c62-b630-e4465d57b874} - c:\windows\system32\tinotobu.dll

SSODL-ganeyajuh-{41033699-9494-4c62-b630-e4465d57b874} - c:\windows\system32\tinotobu.dll

MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe

MSConfigStartUp-CTFMON - (no file)

MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

AddRemove-EA Download Manager - c:\program files\Electronic Arts\EADM\EADMUninstall.exe

AddRemove-FastCAD - c:\program files\ProFantasy\CC3\UNINST.EXE

AddRemove-free-downloads.net Toolbar - c:\progra~1\FREE-D~1.NET\UNWISE.EXE

AddRemove-SimPE_is1 - c:\program files\SimPE\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-30 23:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:f8,a3,66,f0,61,8f,f2,b9,e5,ee,2d,3f,cd,d5,53,5b,78,fe,9a,3b,39,23,2d,

92,94,2a,99,33,cb,08,70,81,0e,f2,56,e1,16,8b,53,6c,2d,ce,32,4b,0c,92,4a,3f,\

"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:e8,3d,dd,be,89,f8,bf,8c,70,4a,26,1a,fe,0d,a6,19,d7,db,fd,d4,5b,

de,24,d8,70,68,22,30,ff,fe,f8,3a,d8,b4,76,c1,52,55,52,f9,e7,11,76,0e,b0,41,\

"rkeysecu"=hex:1d,69,3b,15,46,68,11,5c,58,be,ae,e7,d3,38,bb,88

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\OpenOffice.org 2.2\program\soffice.exe

c:\program files\OpenOffice.org 2.2\program\soffice.BIN

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-09-30 23:07:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-01 03:07

Pre-Run: 254,583,078,912 bytes free

Post-Run: 254,909,489,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CD07C34191B125D2E56826B028536251

Link to post
Share on other sites

Hello cveachmartin

Welcome to Malwarebytes.

=====================

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
For you this means removing Bit torrent and any other p2p program you have installed.

Please uninstall it before proceeding.

==========================

Combofix is not to be used unless instructed to do so by a trained helper.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:27811

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Link to post
Share on other sites

Done and done. And I've uninstalled Bit Torrent. I suppose this bit of Malware has been a lesson for me.

Here's the combofix log. iTunes and IE still won't connect to the internet.

ComboFix 10-09-30.03 - Owner 10/01/2010 10:31:44.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1406 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

.

((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))

.

2010-10-01 14:26 . 2010-10-01 14:26 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS

2010-10-01 03:57 . 2010-10-01 03:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-10-01 03:56 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-10-01 03:56 . 2010-10-01 03:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-10-01 03:54 . 2010-10-01 03:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software

2010-10-01 03:52 . 2010-10-01 03:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-10-01 03:52 . 2010-10-01 03:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-10-01 03:51 . 2010-10-01 03:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-10-01 03:51 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-10-01 03:22 . 2010-10-01 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage

2010-10-01 00:48 . 2010-10-01 00:48 -------- d-----w- c:\program files\FileASSASSIN

2010-09-30 04:18 . 2010-09-30 04:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-30 04:08 . 2010-09-30 10:22 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-30 04:04 . 2010-09-30 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-29 23:41 . 2010-09-29 23:41 -------- d-----w- C:\found.001

2010-09-12 07:08 . 2010-09-12 07:08 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help

2010-09-10 21:45 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-09-10 21:45 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-09-10 21:40 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-09-10 21:40 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2010-09-10 21:39 . 2010-09-12 07:07 -------- d-----w- c:\program files\Microsoft Works

2010-09-10 21:38 . 2010-09-10 21:38 -------- d-----w- c:\program files\Microsoft.NET

2010-09-10 21:35 . 2010-09-10 21:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help

2010-09-10 21:35 . 2010-09-15 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-04 16:22 . 2010-09-04 16:22 -------- d-----w- c:\program files\iPod

2010-09-04 16:22 . 2010-09-04 16:23 -------- d-----w- c:\program files\iTunes

2010-09-04 16:18 . 2010-09-04 16:19 -------- d-----w- c:\program files\QuickTime

2010-09-04 16:12 . 2010-09-04 16:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-01 14:30 . 2007-12-07 20:09 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-10-01 14:24 . 2007-08-20 17:45 -------- d-----w- c:\program files\Steam

2010-10-01 14:24 . 2007-07-20 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2

2010-10-01 13:38 . 2010-04-29 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-10-01 13:37 . 2007-09-23 19:19 -------- d-----w- c:\program files\BitTorrent

2010-10-01 03:53 . 2007-07-19 22:56 -------- d-----w- c:\program files\Google

2010-10-01 03:50 . 2007-11-27 11:57 -------- d-----w- c:\program files\Lavasoft

2010-10-01 03:50 . 2007-11-27 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-09-30 21:36 . 2009-08-09 01:53 -------- d-----w- c:\program files\Electronic Arts

2010-09-30 00:31 . 2009-01-13 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-29 23:44 . 2009-01-13 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-09-29 22:00 . 2007-12-02 20:45 -------- d-----w- c:\program files\Norton Security Scan

2010-09-26 19:44 . 2009-09-15 21:44 43052 ---ha-w- c:\windows\system32\mlfcache.dat

2010-09-16 22:45 . 2007-07-17 21:02 47168 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-15 07:23 . 2009-12-21 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-09-13 14:44 . 2007-12-30 04:20 -------- d-----w- c:\program files\EA GAMES

2010-09-07 19:40 . 2010-04-29 00:14 1819504 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe

2010-09-04 16:22 . 2007-07-19 19:16 -------- d-----w- c:\program files\Common Files\Apple

2010-08-22 20:41 . 2009-07-19 18:30 -------- d-----w- c:\program files\ScummVM

2010-08-20 11:26 . 2007-07-17 21:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-08 00:27 . 2010-08-08 00:27 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47acac6b-n\decora-sse.dll

2010-08-08 00:27 . 2010-08-08 00:27 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\msvcp71.dll

2010-08-08 00:27 . 2010-08-08 00:27 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\jmc.dll

2010-08-08 00:27 . 2010-08-08 00:27 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-39a99fb1-n\msvcr71.dll

2010-08-08 00:27 . 2010-08-08 00:27 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47acac6b-n\decora-d3d.dll

2010-08-05 21:18 . 2009-08-09 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-08-05 21:18 . 2010-08-05 21:18 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-08-05 21:17 . 2010-09-30 04:03 53632 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-05 21:17 . 2010-08-05 21:18 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 04:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-10 13:16 . 2009-04-12 15:13 38 ----a-w- c:\windows\popcinfot.dat

2009-04-01 02:47 . 2009-01-13 02:41 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2010-08-28 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Steam\\steamapps\\cerclerouge21\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\xcom ufo defense\\dosbox.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\deus ex invisible war\\System\\dx2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv\\Civilization4.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\thief deadly shadows\\System\\runme.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords_PitBoss.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the longest journey\\game.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\deus ex\\System\\DeusEx.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\lumines\\lumines.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\peggle nights\\PeggleNights.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\ghostbusters\\ghost_w32.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fallout\\falloutw.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fallout 2\\FALLOUT2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\vampire the masquerade - bloodlines\\vampire.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dreamfall the longest journey\\dreamfall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Steam\\steamapps\\common\\real myst\\RealMYST.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\riven\\Riven.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dark forces\\DosBox\\dosbox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/30/2010 11:56 PM 64288]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/4/2007 5:58 PM 24652]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/30/2010 11:27 AM 102448]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 11:51 PM 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1356952]

S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [3/8/2010 5:43 PM 25832]

S3 ZT6688;ZT6688 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ZT6688.sys [7/17/2007 12:38 PM 21376]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/6/2008 10:20 PM 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*Deregistered* - PROCEXP141

.

Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 03:56]

2010-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 03:51]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 03:51]

2010-09-29 c:\windows\Tasks\Norton Security Scan for Owner.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

2010-10-01 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iyx7oqad.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:f8,a3,66,f0,61,8f,f2,b9,e5,ee,2d,3f,cd,d5,53,5b,78,fe,9a,3b,39,23,2d,

92,94,2a,99,33,cb,08,70,81,0e,f2,56,e1,16,8b,53,6c,2d,ce,32,4b,0c,92,4a,3f,\

"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:e8,3d,dd,be,89,f8,bf,8c,70,4a,26,1a,fe,0d,a6,19,d7,db,fd,d4,5b,

de,24,d8,70,68,22,30,ff,fe,f8,3a,d8,b4,76,c1,52,55,52,f9,e7,11,76,0e,b0,41,\

"rkeysecu"=hex:1d,69,3b,15,46,68,11,5c,58,be,ae,e7,d3,38,bb,88

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3840)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-10-01 10:44:51

ComboFix-quarantined-files.txt 2010-10-01 14:44

ComboFix2.txt 2010-10-01 03:07

Pre-Run: 256,810,029,056 bytes free

Post-Run: 256,794,628,096 bytes free

- - End Of File - - 7A9D61E3EB832DD803ABDD7A272C1CA4

Link to post
Share on other sites

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as look.bat on your Desktop.

regedit /e look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMHOST"
start notepad look.txt
del %0

Then please double click on look.bat a window will open and close quickly.This is normal.

Post the contents of the notepad document that opens.

==============

Check to see if a proxy is set in IE.

To do the open IE and go to Tools>Internet Options>Connections>Lan tab across the bottom.

If there is a proxy setting set uncheck the box then hit ok to save the change.

See then if it will connect.

Link to post
Share on other sites

Done.

---------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMHOST]

"Start"=dword:00000003

"ErrorControl"=dword:00000000

"DisplayName"="COM Host"

"Type"=dword:00000010

"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\

6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,43,00,6f,00,6d,00,6d,00,6f,\

00,6e,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,79,00,6d,00,61,00,\

6e,00,74,00,65,00,63,00,20,00,53,00,68,00,61,00,72,00,65,00,64,00,5c,00,56,\

00,41,00,53,00,63,00,61,00,6e,00,6e,00,65,00,72,00,5c,00,63,00,6f,00,6d,00,\

48,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,22,00,00,00

"DependOnGroup"=hex(7):00,00

"ObjectName"="LocalSystem"

"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00

"Group"="Symantec Services"

"Description"="COM aggregation host service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMHOST\Enum]

"0"="Root\\LEGACY_COMHOST\\0000"

@=""

"NextInstance"=dword:00000001

"Count"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMHOST\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

Link to post
Share on other sites

I deleted Internet Explorer (it was Version 7 anyway) and redownloaded version 8. That works fine, but iTunes is still being blocked by something. The iTunes diagnostic says "Secure Link to store failed", meaning the Malware Antivirus program that's 90% dead is still blocking it. I'm considering deleting iTunes and redownloading it, but if you have a way so I can find out what exactly is blocking it that would be a big help. (Process Explorer isn't showing me anything)

Link to post
Share on other sites

You are welcome :welcome:

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.