TechSpot

[Inactive] Need Combo Fix assistance!

By bsonln
Jul 28, 2010
  1. I believe I am infected with the Tidserv Rootkit monster and I wanted to get started and followed instructions to install and run ComboFix that I found on this forum. I was doing this on my own, which was a bad idea. I ran ComoboFix and didn't post any threads for assistance. After running some other tools that I found on in the thread here, I was unsuccessful in eradicating the Tidserv Trojan. I ran ComboFix /Unistall and then reinstalled the program with the thought of posting my logs here and asking for help, but I'm having problems with getting ComboFix to finish it's run. I've made sure that Norton is disabled during the run, but it's hung up in the window:

    [​IMG]

    I've let it run overnight, with Norton turned completely off, only to find the same window in the morning.


    I appreciate any help.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You followed someone else's instructions. You are experiencing one of the reasons why we have a sticky telling people not to run Combofix unless instructed to do so by their helper- and then with guidance.

    Shut the computer down then reboot:
    Turn your antivirus program back on

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    If you want help, let's do it the right way. If you do have that malware, Combofix would not be the first program we would instruct you to run. Once you have the logs out, we can determine the correct way to handle your malware cleaning.
     
  3. bsonln

    bsonln TS Rookie Topic Starter

    OK, hopefully I was able to uninstall ComboFix to the point that it can be reinstalled and function if we need it again. I followed the instructions for removing it.

    After ComboFix was removed, I followed the instructions from the Preliminary Virus and Malware Removal thread and my logs are attached:
     

    Attached Files:

  4. bsonln

    bsonln TS Rookie Topic Starter

    One other side note to my last post, my computer has been unsuccessful installing the following update for several weeks:

    Microsoft .NET Framework 1.1 SP1 Security Update for Windows 2000 and Windows XP (KB979906)


    Not sure if that's related or not.
     
  5. bsonln

    bsonln TS Rookie Topic Starter

    Bump.


    Perhaps I should have made a new thread after the ComboFix removal. I still need help solving the Rootkit.

    Thanks.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You will require patience in this forum. bumping a thread two hours later is not well accepted. And no, you should not have multiple threads on the same problem.

    I will check you logs as soon as I can- I am helping others who were here before you.
     
  7. bsonln

    bsonln TS Rookie Topic Starter

    I apologize, but it was a 9 hour lag between posts I was just afraid that the thread would go unnoticed because of the subject. I'm not here to ruffle feathers, I'm here to request help and it truly is very much appreciated. Please don't misinterpret my intentions for bumping the thread.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, you need to uninstall Combofix completely> not ' to the point'. The uninstall removes the logs and quarantined entries- you don't remove it part of the way.

    I'm not seeing any evidence in these logs of the TDSServer malware. It will usually appear in Malwarebytes. Where are you seeing this entry?

    You will now need to install Combofix- completely new please, with the previous attempt fully uninstalled.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ======================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please be sure to follow the instructions to disable the security while running these scans.

    Please paste the Combofix report in the next reply. OK to attach the Eset scan.
     
  9. bsonln

    bsonln TS Rookie Topic Starter

    I am getting notices from Norton 360 that a recent attack to my computer is blocked. I've seen several IP addresses with each of the notices I've. Here are some:

    61.61.20.135
    213.163.89.106
    213.163.89.107
    91.212.226.7

    They cycle through the same ones and this is a constant activity.

    I thought this was the Rootkit virus, but perhaps I'm wrong.


    I will now install and run ComboFix.


    Thanks for helping!
     
  10. bsonln

    bsonln TS Rookie Topic Starter

    By the way, I used the ComboFix /Unistall command and it appeared to take ComboFix off my system prior to a fresh install. The latest ComboFix installation appears to be stuck again. It's been in AutoScan mode for over an hour and nothing seems to be happening. I'm going to let it go for a couple of hours, but I don't know if it's doing anything. The very first time I installed it a few days ago, I saw it go a multi-step process of analyzing my machine, but it hasn't been able to do that again after several uninstalls and re-installs. It didn't take that long for it to analyze my PC the first time.
     
  11. bsonln

    bsonln TS Rookie Topic Starter

    OK, I opened Task Manager while ComboFix was stalled and saw that none of ComboFix's processes were running. I then decided to reboot and run Windows in Safe Mode. That did the trick! ComboFix was able to do it's job and ran completely through all 50 stages and produce it's log. During this process, It did detect Rootkit activity and it rebooted the PC after detection. When it was done, I still saw Norton 360 blocking intrusion attempts.

    I then ran Eset NOD32. That took some time and I let it run overnight. While it was running it came up with a threat stating it is probably a variant of a Win32/Agent Trojan. The threat was not cleaned, I assume because of the options that were checked prior to the run. My logs are attached. Norton 360 is still blocking instrusions this morning.

    One thing I noticed with Norton 360, when I attempted to turn it back on after running each of the tool programs, it gives me a message that the PC is not protected by Advanced Sonar Protection. I solve that with a reboot. Maybe it's not even an issue.
     

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    FYI:
    The entry in Eset has already been 'cleaned.' System Volume is where the restore points are location. This has been removed from the system and is no longer active in it. The only danger is if you did a System Restore and happened to choose this restore point. When cleaning is finished, I will have you set a new, clean restore point and remove any old ones.

    Every day and every night, thousands of scans are sent looking for unprotected systems. This is normal internet traffic. Sometimes, it's more active when there is a new malware infection out. But the bottom line is that you want your security to block these scans.

    If you do not want to see these alerts, open Norton and disable the alert feature. All of these IP belong to site that should be blocked and your security is doing it's job!

    IP 61.61.20.135> Asia Pacific Network
    netname: KGT-TW
    descr: KGEx.com
    descr: 6F, No.113, Chung Shan N. Road, Sec.2
    descr: Taipei Taiwan
    country: TW91.212.226.7

    IP 213.163.89.106 and IP 213.163.89.107> RIPE Network Coordination Centre
    ( Réseaux IP Européens (RIPE, French for "European IP Networks")
    netname: HSSN-NET
    descr: High Secured Space Network Group
    country: NL
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\David\Application Data\Real\Update\setup3.12\setup.exe
    c:\documents and settings\David\Application Data\Real\Update\setup3.10\setup.exe
    c:\windows\system32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000004-20021102}.dat
    c:\windows\system32\DVCState-{00000002-00000000-00000008-00001102-00000004-20021102}.dat
    
    Folder::
    c:\documents and settings\All Users\Application Data\Viewpoint
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LTWinModem1"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    You have the following installed:
    My.Freeze.com Toolbar with NetAssistant
    I recommend that you uninstall the program and remove the program folder. This download site for it has a bad reputation and the program itself has adware and spyware.

    Go to the Control Panel> Internet Options> Privacy tab> Sites button> paste the following into the dialog box> Click on Block after each:
    *.click.freeze.com
    *.freeze.com

    (Be sure to include the asterisk as it is a wild card)

    Please update Java to v6u21. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
     
  14. bsonln

    bsonln TS Rookie Topic Starter

    OK, ran ComboFix with the script that you provided. Log is attached. It deleted some files. Took off Java and followed all your instructions about the Mr.Freeze Toolbar. Now Norton 360 isn't working right. Incoming and outgoing emails aren't portected and the antivirus won't come on, even if I tell it to come on. It wants me to update the program to V4.
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A comparison of the Symantec/Norton Services and Drivers in the original DDS log and the current Combofix log shows 2 Services isn't running. Please do this:

    Click on Start> Run> type in services.msc> double click on each of the following and set as instructed:
    NAVEX15> set the Startup type to Automatic>Start the Service.
    NAVENG> set the Startup type to Automatic> Start the Service
    Exit Services

    Reboot the computer
    ====================================
    Choose v2.0.4
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ===========================
    FYI:
    Name: NAVEX15
    Filename: navex15.sys
    Command: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070512.017\NavEx15.Sys
    Description: Driver related to the virus definitions of Symantec Antivirus.
    File Location: C:\Program Files\Common Files\Symantec Shared\virusdefs\20070512.017\navex15.sys
    Service Name: NAVEX15
    Service Display Name: NAVEX15
    HijackThis Category: O23 Entry
    ==============================
    Name: NAVENG
    Filename: naveng.sys
    Command: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050203.008\NAVENG.Sys
    Description: Driver used by Symantec Antivirus.
    File Location: c:\program files\common files\symantec shared\virusdefs\20070512.017\naveng.sys
    Service Name: NAVENG
    Service Display Name: NAVENG
    HijackThis Category: O23 Entry
     
  16. bsonln

    bsonln TS Rookie Topic Starter

    I now have V4 of Norton 360 running and I couldn't find either of the files. Intrusions keep happening and redirects seem more frequent on Firefox.


    Here is the Hijack This Log:



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:35:05 PM, on 7/31/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    C:\Program Files\ATI Multimedia\main\ATISched.EXE
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iolo\System Mechanic\SMTrayNotify.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.1.0.32\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.1.0.32\IPSBHO.DLL
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.1.0.32\coIEPlg.dll
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
    O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
    O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
    O4 - HKCU\..\Run: [ATI Scheduler] "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
    O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
    O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - https://gianteagle.lifepics.com/net/Uploader/LPUploader45.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175374986137
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 10111 bytes
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It's very possible that some files became corrupt when you were running programs on your own- included the aborted Combofix. I suggest you reinstall Norton. You should have the setup. Go offline and reinstall it. Then go back online and make sure it's updated.

    What 'intrusions'? Did you read what I left in my Post #12? If Norton is blocking the site, they are not intrusions! They are scans looking for unprotected systems. Turn the alert off if it bothers you.

    Hopefully, the following will help with the searches. IE wasn't complete and Firefox has no default homepage or seachurl set.

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Close all Windows except HijackThis and click on "Fix Checked"
    ==================================
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Extra::
    Firefox::
    Firefox-: -  ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\8bvdn7gs.default\
    Firefox-: prefs.js - STARTUP.HOMEPAGE
    Firefox-: prefs.js - SEARCH.DEFAULTURL
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please report the computer when above has finished. Advise of any remaining problems.
     
  18. bsonln

    bsonln TS Rookie Topic Starter

    I guess what bothers me is that the intrusions recently started when I became infected. I understand what you are saying, but I guess it's just the idea that the same IP addresses are continuously trying to get into my machine. I realize that Norton is doing it's job, it's just that I hardly ever saw this activity before. Obviously, the redirects are the main issue right now.
     
  19. bsonln

    bsonln TS Rookie Topic Starter

    Still getting redirects from Google.


    Attached is my ComboFix Log
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Don't take it personally! These same IPs are scanning thousands of other systems looking for vulnerabilities. IPs aren't 'random'- they belong to a specific machine. If you have a bad guy trying to hack or crack, it is reasonable to see the same IP repeating. Sometimes you will notice they are scanning different ports on your machine. Would it make you feel any better if I told you that I once saw the same IP attempt to access my system 200 times in a row!! They were using the Gnutella port which at that time, was a big music downloading site like LimeWire. What happened was it created a DOS> Denial of Service attack and I could do nothing but sit here and watch the firewall log the blocked scans- because I couldn't do anyting else!But they never got in!!!

    The IP info I left for you are frequent flyers. The APNIC, KORNICK and RIPE databases put out a lot of these scans.

    Are you seeing this:
    [​IMG]

    Or this:
    [​IMG]

    Note the "stop notifying me" button on each image.

    Combofix script to follow. I also need you to describe the 'redirect' exactly as to what is happening, which browser, from Address Bar or Search box
     
  21. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Message from Bobbye:

    ========================================================================

    You're all mine now :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.