1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Malware Problem, Google Toolbar Redirect, Etc.

Discussion in 'Malware and Virus Removal Archive' started by sheltone, 2010/06/05.

Page 1 of 3
  1. 2010/06/05
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    [Resolved] Malware Problem, Google Toolbar Redirect, Etc.

    Hello,
    I am having several problems which may all be malware related. I will list them post them one at a time, per the administrator’s instructions.

    My computer is a Dell Dimension 4600 series, Intel Pentium 4 Processor at 2.60 GHz. My O/S is Windows XP, my browser is the latest version of Firefox and my email program is Thunderbird. My virus protection is Norton Internet Security and I also use the free version of Malwarebytes.

    I just updated my Norton Internet Security last weekend as my subscription only had a couple days left. I wonder if the new version is causing some of these problems to occur? How do I know if the present settings on my Norton Internet Security are all correct? Most options are turned on, but a handful are off and I don’t know if they should be or not. For example, under Computer scans, there’s "remove infected compressed files" is turned off. Should it be?

    HERE’S WHAT’S HAPPENING -- I do a lot of research using the Google search engine on my Firefox browser. For that past week and a half, every time I click on a link from the Google result page, I am redirected to a completely different website. How can I fix this? I’ve run Malwarebytes and Norton scans several times since this started happening and it comes up clean every time. I was also wondering if the paid version of Malwarebytes would offer me any more protection. I ran the DDS software and am posting the two reports below.

    If anyone can help me, it would be greatly appreciated. If we can solve these, I’ll foist my long-time Comcast email problems on the board! 

    I hope everything is posted according to protocol as I'm not a computer wiz Thanks in advance!

    Larry



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/8/2003 5:07:42 PM
    System Uptime: 6/5/2010 2:25:33 PM (1 hours ago)

    Motherboard: Dell Computer Corp. | | 02Y832
    Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | Microprocessor | 2593/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 56.625 GiB free.
    D: is FIXED (FAT32) - 25 GiB total, 21.549 GiB free.
    E: is FIXED (FAT32) - 4 GiB total, 3.281 GiB free.
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1344: 3/6/2010 6:59:32 PM - System Checkpoint
    RP1345: 3/8/2010 10:27:59 AM - System Checkpoint
    RP1346: 3/9/2010 11:49:46 AM - System Checkpoint
    RP1347: 3/10/2010 12:24:43 PM - System Checkpoint
    RP1348: 3/10/2010 8:10:33 PM - Software Distribution Service 3.0
    RP1349: 3/12/2010 11:45:25 AM - System Checkpoint
    RP1350: 3/13/2010 12:29:17 PM - System Checkpoint
    RP1351: 3/14/2010 7:33:47 PM - System Checkpoint
    RP1352: 3/15/2010 8:11:05 PM - System Checkpoint
    RP1353: 3/16/2010 8:53:54 PM - System Checkpoint
    RP1354: 3/18/2010 5:06:22 PM - System Checkpoint
    RP1355: 3/19/2010 6:46:51 PM - System Checkpoint
    RP1356: 3/20/2010 7:21:39 PM - System Checkpoint
    RP1357: 3/21/2010 7:45:46 PM - System Checkpoint
    RP1358: 3/22/2010 7:54:27 PM - System Checkpoint
    RP1359: 3/23/2010 7:58:18 PM - System Checkpoint
    RP1360: 3/25/2010 5:34:13 PM - System Checkpoint
    RP1361: 3/26/2010 7:05:37 PM - System Checkpoint
    RP1362: 3/27/2010 7:11:57 PM - System Checkpoint
    RP1363: 3/28/2010 7:19:35 PM - System Checkpoint
    RP1364: 3/29/2010 7:25:32 PM - System Checkpoint
    RP1365: 3/31/2010 3:00:35 PM - Software Distribution Service 3.0
    RP1366: 4/1/2010 9:11:16 AM - Configured Turbo Lister 2
    RP1367: 4/2/2010 10:30:25 AM - System Checkpoint
    RP1368: 4/3/2010 2:29:12 PM - System Checkpoint
    RP1369: 4/4/2010 7:41:42 PM - System Checkpoint
    RP1370: 4/5/2010 8:08:24 PM - System Checkpoint
    RP1371: 4/7/2010 12:08:00 PM - System Checkpoint
    RP1372: 4/8/2010 12:31:15 PM - System Checkpoint
    RP1373: 4/9/2010 6:59:22 PM - System Checkpoint
    RP1374: 4/11/2010 12:12:15 PM - System Checkpoint
    RP1375: 4/12/2010 12:40:17 PM - System Checkpoint
    RP1376: 4/13/2010 12:52:09 PM - System Checkpoint
    RP1377: 4/14/2010 11:48:50 AM - Software Distribution Service 3.0
    RP1378: 4/15/2010 12:34:23 PM - System Checkpoint
    RP1379: 4/15/2010 6:07:32 PM - Installed ScanExpress A3 USB 1200 Pro
    RP1380: 4/15/2010 7:16:12 PM - Installed MediaImpression
    RP1381: 4/16/2010 9:39:58 AM - Removed MediaImpression
    RP1382: 4/16/2010 9:42:27 AM - Removed ArcSoft Software Suite
    RP1383: 4/17/2010 5:21:53 PM - System Checkpoint
    RP1384: 4/18/2010 7:40:21 PM - System Checkpoint
    RP1385: 4/19/2010 8:23:11 PM - System Checkpoint
    RP1386: 4/21/2010 12:47:08 PM - System Checkpoint
    RP1387: 4/22/2010 7:05:35 PM - System Checkpoint
    RP1388: 4/23/2010 7:10:51 PM - System Checkpoint
    RP1389: 4/24/2010 7:24:32 PM - System Checkpoint
    RP1390: 4/25/2010 7:55:15 PM - System Checkpoint
    RP1391: 4/27/2010 6:38:09 PM - System Checkpoint
    RP1392: 4/28/2010 8:42:04 PM - System Checkpoint
    RP1393: 4/29/2010 8:46:39 PM - System Checkpoint
    RP1394: 5/1/2010 7:29:11 PM - System Checkpoint
    RP1395: 5/2/2010 8:06:05 PM - System Checkpoint
    RP1396: 5/4/2010 8:52:43 AM - System Checkpoint
    RP1397: 5/5/2010 4:43:39 PM - System Checkpoint
    RP1398: 5/6/2010 8:01:07 PM - System Checkpoint
    RP1399: 5/8/2010 11:47:36 AM - System Checkpoint
    RP1400: 5/9/2010 8:32:39 PM - System Checkpoint
    RP1401: 5/10/2010 8:46:30 PM - System Checkpoint
    RP1402: 5/11/2010 2:55:47 PM - Software Distribution Service 3.0
    RP1403: 5/12/2010 5:11:10 PM - System Checkpoint
    RP1404: 5/14/2010 6:27:59 PM - System Checkpoint
    RP1405: 5/15/2010 7:46:03 PM - System Checkpoint
    RP1406: 5/16/2010 8:04:10 PM - System Checkpoint
    RP1407: 5/18/2010 7:24:29 PM - System Checkpoint
    RP1408: 5/19/2010 7:35:11 PM - System Checkpoint
    RP1409: 5/20/2010 8:21:54 PM - System Checkpoint
    RP1410: 5/21/2010 9:11:26 PM - System Checkpoint
    RP1411: 5/22/2010 9:55:42 PM - System Checkpoint
    RP1412: 5/23/2010 10:24:27 PM - System Checkpoint
    RP1413: 5/25/2010 4:31:47 PM - System Checkpoint
    RP1414: 5/25/2010 7:11:12 PM - Software Distribution Service 3.0
    RP1415: 5/26/2010 7:26:25 PM - System Checkpoint
    RP1416: 5/27/2010 7:54:31 PM - System Checkpoint
    RP1417: 5/28/2010 8:32:31 PM - System Checkpoint
    RP1418: 5/29/2010 8:38:32 PM - System Checkpoint
    RP1419: 6/1/2010 12:45:37 PM - System Checkpoint
    RP1420: 6/2/2010 1:37:06 PM - System Checkpoint
    RP1421: 6/3/2010 6:59:47 PM - System Checkpoint

    ==== Installed Programs ======================

    ABBYY FineReader 5.0 Sprint Plus
    Ad-aware 6 Personal
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 7.0
    BACS
    Banctec Service Agreement
    BCM V.92 56K Modem
    Broadcom Advanced Control Suite
    Coupon Printer for Windows
    CuteFTP 5.0 XP
    DAO
    Dell Picture Studio - Dell Image Expert
    Dell Solution Center
    DellSupport
    Easy CD Creator 5 Basic
    EPSON CardMonitor
    EPSON Copy Utility
    EPSON Photo Print
    EPSON PhotoStarter3.0
    EPSON Printer Software
    EPSON RX500 Reference Guide
    EPSON Scan
    EPSON Smart Panel
    Google Toolbar for Firefox
    Help and Support Customization
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    iPhoto Plus 4
    Java 2 Runtime Environment, SE v1.4.1_02
    Java 2 Runtime Environment, SE v1.4.2_01
    Java Web Start
    MailWasher Free 6.5.2
    MailWasher Pro
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework (English)
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.0 Hotfix (KB928367)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Small Business
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Modem Helper
    MozBackup 1.4.9
    Mozilla Firefox (3.6.3)
    Mozilla Thunderbird (2.0.0.24)
    MUSICMATCH Jukebox
    Netscape (7.2)
    Norton Internet Security
    NVIDIA Windows 2000/XP Display Drivers
    Paint Shop Pro 7
    QuickTime
    RealDownload
    RealPlayer
    Rhapsody Player Engine
    ScanExpress A3 USB 1200 Pro
    ScanToWeb
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Symantec Network Driver Update
    Symantec Technical Support Web Controls
    TextBridge Classic
    Turbo Lister 2
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player (Remove Only)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    6/1/2010 10:12:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cryptographic Services service to connect.
    6/1/2010 10:12:31 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/31/2010 6:34:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip
    5/31/2010 6:34:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    5/31/2010 6:34:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/31/2010 6:34:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/31/2010 6:34:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    5/31/2010 6:33:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    5/31/2010 6:33:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/31/2010 1:08:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
    5/31/2010 1:08:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
    5/31/2010 1:08:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
    5/31/2010 1:08:27 PM, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/31/2010 1:08:27 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/31/2010 1:08:27 PM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/30/2010 11:39:12 AM, error: Service Control Manager [7000] - The A32P service failed to start due to the following error: The system cannot find the file specified.
    5/30/2010 11:38:02 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    5/30/2010 11:38:02 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Larry at 15:41:18.79 on Sat 06/05/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.88 [GMT -4:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\TWAIN_32\L12U16U2\SrvMod.exe
    svchost.exe
    C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Documents and Settings\Larry\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.comcast.net/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
    mSearchAssistant = hxxp://www.google.com
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500 "
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [Symantec Network Driver Update Warning] c:\progra~1\symantec\liveup~1\SNDWarn.EXE
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
    dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
    StartupFolder: c:\docume~1\larry\startm~1\programs\startup\textbr~1.lnk - c:\program files\textbridge classic\bin\TBMenu.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realdo~1.lnk - c:\program files\real\realdownload\RealDownload.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\srvmod.lnk - c:\windows\twain_32\l12u16u2\SrvMod.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
    Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\larry\applic~1\mozilla\firefox\profiles\emuvz0g7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - hxxp://comcast.net
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\larry\application data\mozilla\firefox\profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\larry\application data\mozilla\firefox\profiles\emuvz0g7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-20 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-20 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-20 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-20 116784]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100605.003\NAVENG.SYS [2010-6-5 85552]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100605.003\NAVEX15.SYS [2010-6-5 1347504]
    S2 A32P;A32P;c:\windows\system32\drivers\a32p.sys --> c:\windows\system32\drivers\A32P.sys [?]

    =============== Created Last 30 ================

    2010-05-09 03:47:57 226728 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-05-09 03:46:59 0 d-----w- c:\program files\Coupons
    2010-05-09 02:13:47 1440054 ----a-w- c:\windows\ippie.bmp

    ==================== Find3M ====================

    2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-15 22:06:57 81946 ----a-w- c:\windows\system32\vb5ko.dll
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
    2008-08-28 20:58:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

    ============= FINISH: 15:44:22.23 ===============
     
    sheltone,
    #1
  2. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, you should turn it on.

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    =============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/06/05
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Excuse me for being a little thick. You want me to run BOTH GMER and Combofix? I only have one possible problem. It says to disable your anti-virus when using Combofix. One of my other computer problems is as of May 27th, I've gotten multiple messages, we're talking 25-30 or more a day from my Norton Internet Security, stating that someone has attempted to break into my system. The messages read -- "A recent attempt to attack your computer was blocked ". Each of these messages was a separate attempt. Previous to this, I'd get one message a week if that many. If I were to disable Norton, wouldn't that leave me susceptible to the "attacker" actually getting into my system?

    Let me know and I'll follow your instructions. Thank you! Larry
     
    sheltone,
    #3
  5. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes...
     
    broni,
    #4
  6. 2010/06/05
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    What about the many messages I'm receiving saying Norton is blocking "attacks "? Won't disabling Norton leave me without protection? These attacks are happening pretty regularly at this point.
     
    sheltone,
    #5
  7. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Those messages are normal and they only provide a proof, that your Norton is working.
    Normally, you should disable those pop-ups, because there is no need to see them all the time.

    You disable only AV part. Firewall will keep you safe.
     
    broni,
    #6
  8. 2010/06/05
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    I don't know what you mean by AV part. If I turn off Norton altogether, won't the Norton firewall cease working also?
     
    sheltone,
    #7
  9. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Did you go to a link, I provided in Combofix manual, regarding disabling antivirus program?
     
    broni,
    #8
  10. 2010/06/05
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Not yet, I will do so and get back to you later today.
     
    sheltone,
    #9
  11. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well, it's always a good idea to read all my instructions carefully :)
     
    broni,
    #10
  12. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    One day later, I was following your instructions beginning by running GMER when a few minutes in, Windows shut down. It appears GMER caused this to happen. How do I proceed from here?
     
    sheltone,
    #11
  13. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    ......
     
    broni,
    #12
  14. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I tried a second time and Windows crashed again. It said the problem seemed to be caused by the following file: kfloapod.sys

    I then tried a third time, after un-checking "Devices" in right pane. Windowas crashed again but it did not say any file was the cause this time.

    Finally, I tried doing it in safe mode but I had trouble accessing GMER. How can I saw it to my desktop so its accessible? I tried but can't seem to manage it. The file's in a download box at the moment. Sorry I'm not especially computer savvy.
     
    sheltone,
    #13
  15. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's OK :)

    Proceed to Combofix step, but BEFORE you run Combofix....

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now, run Combofix.
     
    broni,
    #14
  16. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Ran rkill.com after disabling anti-virus protection. Your instructions say its going to ask me to reboot on completion? It didn't do that. Should I rerun it and reboot it or not before going on to run Combofix? Here's the report rkill generated:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Larry on 06/06/2010 at 18:30:27.


    Processes terminated by Rkill or while it was running:


    C:\Documents and Settings\Larry\My Documents\Downloads\rkill.com


    Rkill completed on 06/06/2010 at 18:30:41.
     
    sheltone,
    #15
  17. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, the instructions say NOT to reboot :)
    Proceed with exehelper and then Combofix.
     
    broni,
    #16
  18. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    YES it did say not to reboot, sorry, I get slightly dyslexic at times. I just ran exeHelper and here's the report below. I will now get started running Combofix. Back at you soon.........Larry

    exeHelper by Raktor
    Build 20100414
    Run at 21:42:08 on 06/06/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
    sheltone,
    #17
  19. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #18
  20. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Okay, I just finished running Combofix and got the report. I will post it in the next message. While it was running, the following message popped up:

    PEV.exe -- Corrupt File
    The file or directory C:|ProgramFiles|CommonFiles|SymantecShared|SymcData|nco1.Odefs|20091124.001|SearchServices.xml.bin is corrupt and unreadable. Please run the Chkdsk utility.

    The message popped up in 3 slightly different versions, the second replaced the words, SearchServices with PopularSites, and the third replaced it with Redirections.

    I haven't a clue if I should be doing something about this or not.

    Larry
     
    sheltone,
    #19
  21. 2010/06/06
    sheltone

    sheltone Inactive Thread Starter

    Joined:
    2004/03/28
    Messages:
    45
    Likes Received:
    0
    Here's the Combofix log report:

    ComboFix 10-06-06.01 - Larry 06/06/2010 22:07:11.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.312 [GMT -4:00]
    Running from: c:\documents and settings\Larry\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\fad.sys

    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
    .

    2010-05-21 00:04 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
    2010-05-21 00:04 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
    2010-05-21 00:04 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
    2010-05-21 00:04 . 2009-11-05 22:06 328752 ----a-r- c:\windows\system32\drivers\symds.sys
    2010-05-21 00:04 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
    2010-05-21 00:04 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
    2010-05-09 03:46 . 2010-05-09 03:47 -------- d-----w- c:\program files\Coupons

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-07 01:15 . 2007-11-28 19:40 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-06-06 21:49 . 2009-06-30 21:03 -------- d-----w- c:\documents and settings\Larry\Application Data\MailWasherPro
    2010-05-26 22:20 . 2010-03-31 17:50 439816 ----a-w- c:\documents and settings\Larry\Application Data\Real\Update\setup3.10\setup.exe
    2010-05-10 03:53 . 2009-07-06 21:57 -------- d-----w- c:\documents and settings\Larry\Application Data\MailWasherFree
    2010-05-03 14:04 . 2009-01-04 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-29 19:39 . 2009-01-04 22:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2009-01-04 22:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-16 13:42 . 2010-04-15 23:16 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-04-16 02:13 . 2010-04-15 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-16 02:13 . 2010-04-15 23:19 -------- d-----w- c:\documents and settings\Larry\Application Data\ArcSoft
    2010-04-15 23:16 . 2003-07-05 13:32 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-15 22:21 . 2010-04-15 22:18 -------- d-----w- c:\program files\ScanExpress A3 USB 1200 Pro
    2010-04-15 22:06 . 2010-04-15 22:18 81946 ----a-w- c:\windows\system32\vb5ko.dll
    2010-03-26 14:33 . 2010-04-30 02:08 1496064 ----a-w- c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-03-26 14:33 . 2010-04-30 02:08 43008 ----a-w- c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-03-26 14:33 . 2010-04-30 02:08 339456 ----a-w- c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-03-26 14:32 . 2010-04-30 02:08 346112 ----a-w- c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2009-04-01 02:47 . 2008-02-13 18:27 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
    "BCMSMMSG "= "BCMSMMSG.exe" [2003-08-29 122880]
    "AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2004-02-13 98304]
    "EPSON Stylus Photo RX500 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-28 198160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SRUUninstall "= "c:\windows\System32\msiexec.exe" [2008-04-14 78848]

    c:\documents and settings\Larry\Start Menu\Programs\Startup\
    TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2007-7-20 23040]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    RealDownload.lnk - c:\program files\Real\RealDownload\RealDownload.exe [2003-7-10 20515]
    SrvMod.lnk - c:\windows\TWAIN_32\L12U16U2\SrvMod.exe [2008-7-23 49152]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE "=
    "c:\\Program Files\\Netscape\\Netscape\\Netscp.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NIS\1107000.00C\symds.sys [5/20/2010 8:04 PM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1107000.00C\symefa.sys [5/20/2010 8:04 PM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 1:44 PM 537136]
    R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1107000.00C\cchpx86.sys [5/20/2010 8:04 PM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1107000.00C\ironx86.sys [5/20/2010 8:04 PM 116784]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/20/2010 8:04 PM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 8:33 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100528.003\IDSXpx86.sys [5/28/2010 3:33 PM 331640]
    S2 A32P;A32P;c:\windows\system32\drivers\A32P.sys --> c:\windows\system32\drivers\A32P.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-05 c:\windows\Tasks\Norton Internet Security - Larry - Full System Scan.job
    - c:\program files\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-05-21 05:34]

    2010-06-04 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Larry.job
    - c:\program files\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-05-21 05:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
    Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - hxxp://comcast.net
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\emuvz0g7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-Run-Symantec Network Driver Update Warning - c:\progra~1\Symantec\LIVEUP~1\SNDWarn.EXE
    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
    HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-06 22:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath "= "\ "c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \ "NIS\" /m \ "c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1 "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3030079229-2015897244-748374630-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2010-06-06 22:22:24
    ComboFix-quarantined-files.txt 2010-06-07 02:22

    Pre-Run: 60,732,575,744 bytes free
    Post-Run: 65,459,834,880 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 5EA812857ED70BDE0FD5D2AAA7EEF8C0
     
    sheltone,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...