TechSpot

Browser redirect virus

By lizabet
Aug 16, 2010
  1. My computer is being plagued by the browser redirect virus. I have Symantec Antivirus, but a full system scan came up clean. I've done a lot of Googling and a lot of entries came up about a tdssserv.sys Trojan, but I can't seem to find the file in Device Manager. I suspect that it might be a virus that's somehow affecting my router? But a hard reset didn't fix the problem either. Attached are the requested logs.

    A few other things you might want to know: My PC is probably about 10 years old, currently running Windows XP. I am using the latest version of IE and Firefox, but both have been affected. I use Chrome on my Macbook (OS X v10.6), which is connected to my home router via wireless and has also been affected, but to a much lesser extent. I'm not exactly the most tech savvy, so any help will be appreciated, thanks!

    PS. Yeah, I know I have a lot of junk installed, just never got around to deleting anything, haha.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. lizabet

    lizabet TS Rookie Topic Starter

    Here are the requested log files.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000d

    Kernel Drivers (total 126):
    0x804D7000 \windows\system32\ntoskrnl.exe
    0x806EC000 \windows\system32\hal.dll
    0xF7987000 \windows\system32\KDCOM.DLL
    0xF7897000 \windows\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \windows\System32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7A4F000 PCIIde.sys
    0xF7707000 \windows\System32\Drivers\PCIIDEX.SYS
    0xF798B000 intelide.sys
    0xF7607000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF798D000 dmload.sys
    0xF74B2000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7617000 VolSnap.sys
    0xF749A000 atapi.sys
    0xF7627000 disk.sys
    0xF7637000 \windows\System32\DRIVERS\CLASSPNP.SYS
    0xF747A000 fltmgr.sys
    0xF7468000 sr.sys
    0xF741F000 pxfsf.sys
    0xF798F000 \windows\system32\DRIVERS\pxcom.SYS
    0xF7408000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF786A000 NDIS.sys
    0xF784F000 Mup.sys
    0xF7537000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xF77CF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB9D47000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF77D7000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB9B77000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
    0xB9B63000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF77DF000 \SystemRoot\system32\drivers\als4000.sys
    0xB9B3F000 \SystemRoot\system32\drivers\portcls.sys
    0xF7527000 \SystemRoot\system32\drivers\drmk.sys
    0xB9B1C000 \SystemRoot\system32\drivers\ks.sys
    0xB9AF9000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF77EF000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF7517000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF7933000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xB9AE5000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF7507000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF77F7000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF7937000 \SystemRoot\system32\drivers\pfc.sys
    0xF74F7000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xBA717000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xBA707000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xBA22A000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xBA6F7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF793F000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB9AB9000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xBA6E7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xBA6D7000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF77FF000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB9AA8000 \SystemRoot\System32\DRIVERS\psched.sys
    0xBA6C7000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7807000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF780F000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB99C6000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xBA697000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF772F000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF79A1000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB996D000 \SystemRoot\System32\DRIVERS\update.sys
    0xBA7F0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xBA687000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7667000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79A3000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF7747000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xB6845000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
    0xB6823000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xB680F000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    0xF791F000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF7697000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF774F000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xB9969000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xB9965000 \SystemRoot\system32\DRIVERS\pxrd.sys
    0xF79C7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A6E000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79C9000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF776F000 \SystemRoot\System32\drivers\vga.sys
    0xF79CB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79CD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF777F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7787000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB995D000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB6391000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB6339000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB62FE000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF779F000 \SystemRoot\system32\DRIVERS\pxtdi.sys
    0xB62D6000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB62B4000 \SystemRoot\System32\drivers\afd.sys
    0xB9A78000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF77A7000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB6252000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xB6231000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xB9A58000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xB6206000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB6197000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB9A38000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB6139000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xB611C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xB9A08000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB6104000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79D9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA7B0000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB992D000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA234000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB5FD4000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xB5B81000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB599D000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB5988000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB5BE4000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF79A7000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB56BF000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB5246000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB53FF000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xAFC95000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100816.016\navex15.sys
    0xAFC81000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100816.016\naveng.sys
    0xAFC56000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 41):
    0 System Idle Process
    4 System
    612 C:\WINDOWS\system32\smss.exe
    676 csrss.exe
    700 C:\WINDOWS\system32\winlogon.exe
    748 C:\WINDOWS\system32\services.exe
    760 C:\WINDOWS\system32\lsass.exe
    920 C:\WINDOWS\system32\svchost.exe
    1020 svchost.exe
    1076 C:\WINDOWS\system32\svchost.exe
    1220 svchost.exe
    1364 svchost.exe
    1372 C:\WINDOWS\explorer.exe
    1448 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    1516 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    1616 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    1676 C:\WINDOWS\system32\spoolsv.exe
    1852 svchost.exe
    1940 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1980 C:\Program Files\Bonjour\mDNSResponder.exe
    2000 C:\Program Files\Symantec AntiVirus\DefWatch.exe
    140 C:\Program Files\Java\jre6\bin\jqs.exe
    216 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    416 C:\WINDOWS\system32\svchost.exe
    444 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    1184 C:\Program Files\Canon\CAL\CALMAIN.exe
    1812 wmiprvse.exe
    2192 alg.exe
    2232 C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
    2284 C:\Program Files\iTunes\iTunesHelper.exe
    2296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    2308 C:\PROGRA~1\SYMANT~1\VPTray.exe
    2324 C:\Program Files\Messenger\msmsgs.exe
    2340 C:\WINDOWS\system32\ctfmon.exe
    2856 C:\Program Files\iPod\bin\iPodService.exe
    3020 C:\WINDOWS\system32\WgaTray.exe
    3104 C:\WINDOWS\system32\wuauclt.exe
    764 C:\Program Files\Internet Explorer\iexplore.exe
    3952 C:\Program Files\Internet Explorer\iexplore.exe
    2604 C:\Program Files\Internet Explorer\iexplore.exe
    408 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3160021A, Rev: 8.01

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  4. lizabet

    lizabet TS Rookie Topic Starter

    ComboFix 10-08-16.03 - Administrator 08/16/2010 21:19:50.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.704 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Prevx 2.0 *On-access scanning disabled* (Outdated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
    c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat
    c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
    .

    2010-08-16 18:51 . 2010-08-16 18:56 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-08-16 17:19 . 2010-08-16 17:19 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
    2010-08-16 11:20 . 2010-08-16 16:41 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:09 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:09 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 05:03 . 2010-08-16 05:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-16 04:59 . 2010-08-16 04:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-08-16 03:02 . 2010-08-16 03:07 -------- dc-h--w- c:\windows\ie8
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-16 02:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-16 02:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-17 01:33 . 2010-05-17 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-08-17 01:31 . 2007-08-16 01:01 -------- d-----w- c:\program files\Prevx2
    2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\program files\Viewpoint
    2010-08-16 22:04 . 2009-03-26 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
    2010-08-16 18:31 . 2007-08-21 20:23 1744 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-29 01:17 . 2007-12-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
    2010-06-29 01:17 . 2009-09-25 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\CameraWindowDC
    2010-06-18 22:54 . 2007-08-16 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx
    2010-06-14 14:30 . 2007-07-21 19:10 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PrevxOne"="c:\program files\Prevx2\PXConsole.exe" [2008-01-23 1997880]
    "Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1186698198\\ee\\AOLServiceHost.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

    R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [8/15/2007 9:02 PM 28040]
    R3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [8/11/2007 1:05 PM 25674]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:58 PM 102448]
    S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe --> c:\program files\iWin Games\iWinTrusted.exe [?]
    S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [8/15/2007 9:02 PM 107912]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-08-17 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uqzp8njt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKCU-Run-Aim6 - (no file)
    AddRemove-AOL Explorer - c:\program files\Common Files\AOL\1186698198\ee\services\browser\ver1_1_1042\uninst.exe
    AddRemove-Cooking Academy 2 World Cuisine_is1 - c:\program files\Cooking Academy 2 World Cuisine\ReflexiveArcade\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-16 21:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\

    [HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FB13693-8AF5-DA47-CD45-EF95D01E4401}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "oaadbciabehlpffljcieajhhfkkhdh"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
    6e,66,6f,6a,66,68,62,6e,00,00
    "nagelakockidjelaobmjancliaim"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
    6e,66,6f,6a,66,68,62,6e,00,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3504)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\WgaTray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-16 21:40:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-17 01:40

    Pre-Run: 105,155,895,296 bytes free
    Post-Run: 105,184,063,488 bytes free

    - - End Of File - - 4C5B08B97E567442B41EA5AB93F5A50E

    By the way, after being prompted to install the Recovery Console, I recieved an error message saying that the "Boot partition cannot be enumerated correctly." I was then asked if I would like to continue scanning, so I clicked yes. Not sure if that's an issue, just wanted to let you know.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Let's see, if you'll be able to install recovery console on next Combofix run.
    Delete your Combofix file and download fresh one.

    Then.....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\All Users\Application Data\Viewpoint
    
    
    Driver::
    iWinTrusted
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FB13693-8AF5-DA47-CD45-EF95D01E4401}*]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  6. lizabet

    lizabet TS Rookie Topic Starter

    I got the same error message when trying to install Recovery Console. Here is the log.

    ComboFix 10-08-16.03 - Administrator 08/16/2010 22:15:02.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.697 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Prevx 2.0 *On-access scanning disabled* (Outdated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Viewpoint

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_IWINTRUSTED
    -------\Service_iWinTrusted


    ((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
    .

    2010-08-16 18:51 . 2010-08-16 18:56 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-08-16 17:19 . 2010-08-16 17:19 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
    2010-08-16 11:20 . 2010-08-16 16:41 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:09 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:09 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 05:03 . 2010-08-16 05:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-16 04:59 . 2010-08-16 04:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-08-16 03:02 . 2010-08-16 03:07 -------- dc-h--w- c:\windows\ie8
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-16 02:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-16 02:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-17 02:28 . 2010-05-17 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-08-17 02:27 . 2007-08-16 01:01 -------- d-----w- c:\program files\Prevx2
    2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\program files\Viewpoint
    2010-08-16 22:04 . 2009-03-26 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
    2010-08-16 18:31 . 2007-08-21 20:23 1744 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-29 01:17 . 2007-12-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
    2010-06-29 01:17 . 2009-09-25 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\CameraWindowDC
    2010-06-18 22:54 . 2007-08-16 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx
    2010-06-14 14:30 . 2007-07-21 19:10 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PrevxOne"="c:\program files\Prevx2\PXConsole.exe" [2008-01-23 1997880]
    "Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1186698198\\ee\\AOLServiceHost.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

    R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [8/15/2007 9:02 PM 28040]
    R3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [8/11/2007 1:05 PM 25674]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:58 PM 102448]
    S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [8/15/2007 9:02 PM 107912]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-08-17 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uqzp8njt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-16 22:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2344)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\Symantec AntiVirus\DoScan.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-16 22:33:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-17 02:32
    ComboFix2.txt 2010-08-17 01:40

    Pre-Run: 105,172,656,128 bytes free
    Post-Run: 105,094,598,656 bytes free

    - - End Of File - - BAD2B9F4E25049FB21682DA20E386E93
     
  7. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Things are looking better...

    How is redirection?
     
  8. lizabet

    lizabet TS Rookie Topic Starter

    The redirection seems to have stopped now, thanks!! :D
     
  9. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. lizabet

    lizabet TS Rookie Topic Starter

    The OTL logs are a bit long, so they are attached.
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [4 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
      [1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]
      [2008/12/24 17:51:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
      @Alternate Data Stream - 185 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:766442E5
      @Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E3E060F
      @Alternate Data Stream - 159 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAE2C3A5
      @Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A953997
      @Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60516BC3
      @Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F
      @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5
      @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4DCBA8B
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:814B9485
      @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52067872
      @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9F50A55A
      @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B3A35EC
      @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:622D0DED
      @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4D066AD2
      @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E8BF029E
      @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D708EEF9
      @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5
      @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AB338B9
      @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F
      @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C13E971
      @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C012695
      @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29
      @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A93CCA6B
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  12. lizabet

    lizabet TS Rookie Topic Starter

    Here are the requested logs.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    C:\windows\System32\CONFIG.TMP deleted successfully.
    C:\windows\System32\SETC1.tmp deleted successfully.
    C:\windows\System32\SETC4.tmp deleted successfully.
    C:\windows\System32\SETD3.tmp deleted successfully.
    C:\Documents and Settings\Administrator\My Documents\~WRL0001.tmp deleted successfully.
    C:\Documents and Settings\All Users\Application Data\iWin Games\opal folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\iWin Games\drm\data folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\iWin Games\drm folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\iWin Games folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:766442E5 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E3E060F deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:CAE2C3A5 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:9A953997 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:60516BC3 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:A724744F deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:B4DCBA8B deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:814B9485 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:52067872 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:9F50A55A deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B3A35EC deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:622D0DED deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:4D066AD2 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:E8BF029E deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:D708EEF9 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:9AB338B9 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:6C13E971 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:9C012695 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:A93CCA6B deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 9251924 bytes
    ->Temporary Internet Files folder emptied: 1795195 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 47112219 bytes
    ->Flash cache emptied: 589 bytes

    User: All Users

    User: Default User

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49286 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 663 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 56.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.10.0 log created on 08162010_234742

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  13. lizabet

    lizabet TS Rookie Topic Starter

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Symantec AntiVirus
    Prevx 2.0 Agent
    Antivirus out of date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player 10.0.22.87
    Adobe Reader 8.1.4
    Korean Fonts Support For Adobe Reader 8
    Mozilla Firefox (3.6.8)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Symantec AntiVirus DefWatch.exe
    Symantec AntiVirus Rtvscan.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  14. lizabet

    lizabet TS Rookie Topic Starter

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, August 17, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, August 17, 2010 06:00:23
    Records in database: 4135703
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\

    Scan statistics:
    Objects scanned: 77314
    Threats found: 1
    Infected objects found: 2
    Suspicious objects found: 0
    Scan duration: 02:51:57


    File name / Threat / Threats count
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D980000.VBN Infected: Trojan.Win32.FraudPack.atha 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F3C0003.VBN Infected: Trojan.Win32.FraudPack.atha 1

    Selected area has been scanned.
     
  15. lizabet

    lizabet TS Rookie Topic Starter

    Sorry, having some trouble posting the other two logs. They are attached.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    All looks good, except for Security Check reporting Norton being outdated.
    Any reason for it?

    ========================================================================

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. Run defrag at your convenience.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  17. lizabet

    lizabet TS Rookie Topic Starter

    Not sure why the security check reported my antivirus being outdated; I update it as often as I can. The Kaspersky scan found two Trojans, but they look like they're in quarantine, is that OK? My computer seems to be doing fine now, thanks so much for all your help!
     
  18. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You should have it set to automatic updates (much more secure).
    That's why Security Check said: On Access scanning disabled

    Perfectly fine...

    Good job :)
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...