[Inactive] Need Combo Fix assistance!

[bsonln]

I believe I am infected with the Tidserv Rootkit monster and I wanted to get started and followed instructions to install and run ComboFix that I found on this forum. I was doing this on my own, which was a bad idea. I ran ComoboFix and didn't post any threads for assistance. After running some other tools that I found on in the thread here, I was unsuccessful in eradicating the Tidserv Trojan. I ran ComboFix /Unistall and then reinstalled the program with the thought of posting my logs here and asking for help, but I'm having problems with getting ComboFix to finish it's run. I've made sure that Norton is disabled during the run, but it's hung up in the window:

I've let it run overnight, with Norton turned completely off, only to find the same window in the morning.


I appreciate any help.

 

[Bobbye]

followed instructions to install and run ComboFix that I found on this forum

You followed someone else's instructions. You are experiencing one of the reasons why we have a sticky telling people not to run Combofix unless instructed to do so by their helper- and then with guidance.

Shut the computer down then reboot:
Turn your antivirus program back on

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

If you want help, let's do it the right way. If you do have that malware, Combofix would not be the first program we would instruct you to run. Once you have the logs out, we can determine the correct way to handle your malware cleaning.

 

[bsonln]

OK, hopefully I was able to uninstall ComboFix to the point that it can be reinstalled and function if we need it again. I followed the instructions for removing it.

After ComboFix was removed, I followed the instructions from the Preliminary Virus and Malware Removal thread and my logs are attached:

 

[bsonln]

One other side note to my last post, my computer has been unsuccessful installing the following update for several weeks:

Microsoft .NET Framework 1.1 SP1 Security Update for Windows 2000 and Windows XP (KB979906)


Not sure if that's related or not.

 

[bsonln]

Bump.


Perhaps I should have made a new thread after the ComboFix removal. I still need help solving the Rootkit.

Thanks.

 

[Bobbye]

You will require patience in this forum. bumping a thread two hours later is not well accepted. And no, you should not have multiple threads on the same problem.

I will check you logs as soon as I can- I am helping others who were here before you.

 

[bsonln]

You will require patience in this forum. bumping a thread two hours later is not well accepted. And no, you should not have multiple threads on the same problem.

I will check you logs as soon as I can- I am helping others who were here before you.

I apologize, but it was a 9 hour lag between posts I was just afraid that the thread would go unnoticed because of the subject. I'm not here to ruffle feathers, I'm here to request help and it truly is very much appreciated. Please don't misinterpret my intentions for bumping the thread.

 

[Bobbye]

uninstall ComboFix to the point that it can be reinstalled and function if we need it again.

Okay, you need to uninstall Combofix completely> not ' to the point'. The uninstall removes the logs and quarantined entries- you don't remove it part of the way.

I'm not seeing any evidence in these logs of the TDSServer malware. It will usually appear in Malwarebytes. Where are you seeing this entry?

You will now need to install Combofix- completely new please, with the previous attempt fully uninstalled.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
======================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please be sure to follow the instructions to disable the security while running these scans.

Please paste the Combofix report in the next reply. OK to attach the Eset scan.

 

[bsonln]

I am getting notices from Norton 360 that a recent attack to my computer is blocked. I've seen several IP addresses with each of the notices I've. Here are some:

61.61.20.135
213.163.89.106
213.163.89.107
91.212.226.7

They cycle through the same ones and this is a constant activity.

I thought this was the Rootkit virus, but perhaps I'm wrong.


I will now install and run ComboFix.


Thanks for helping!

 

[bsonln]

By the way, I used the ComboFix /Unistall command and it appeared to take ComboFix off my system prior to a fresh install. The latest ComboFix installation appears to be stuck again. It's been in AutoScan mode for over an hour and nothing seems to be happening. I'm going to let it go for a couple of hours, but I don't know if it's doing anything. The very first time I installed it a few days ago, I saw it go a multi-step process of analyzing my machine, but it hasn't been able to do that again after several uninstalls and re-installs. It didn't take that long for it to analyze my PC the first time.

 

[bsonln]

OK, I opened Task Manager while ComboFix was stalled and saw that none of ComboFix's processes were running. I then decided to reboot and run Windows in Safe Mode. That did the trick! ComboFix was able to do it's job and ran completely through all 50 stages and produce it's log. During this process, It did detect Rootkit activity and it rebooted the PC after detection. When it was done, I still saw Norton 360 blocking intrusion attempts.

I then ran Eset NOD32. That took some time and I let it run overnight. While it was running it came up with a threat stating it is probably a variant of a Win32/Agent Trojan. The threat was not cleaned, I assume because of the options that were checked prior to the run. My logs are attached. Norton 360 is still blocking instrusions this morning.

One thing I noticed with Norton 360, when I attempted to turn it back on after running each of the tool programs, it gives me a message that the PC is not protected by Advanced Sonar Protection. I solve that with a reboot. Maybe it's not even an issue.

 

[Bobbye]

FYI:
The entry in Eset has already been 'cleaned.' System Volume is where the restore points are location. This has been removed from the system and is no longer active in it. The only danger is if you did a System Restore and happened to choose this restore point. When cleaning is finished, I will have you set a new, clean restore point and remove any old ones.

Every day and every night, thousands of scans are sent looking for unprotected systems. This is normal internet traffic. Sometimes, it's more active when there is a new malware infection out. But the bottom line is that you want your security to block these scans.

If you do not want to see these alerts, open Norton and disable the alert feature. All of these IP belong to site that should be blocked and your security is doing it's job!

IP 61.61.20.135> Asia Pacific Network
netname: KGT-TW
descr: KGEx.com
descr: 6F, No.113, Chung Shan N. Road, Sec.2
descr: Taipei Taiwan
country: TW91.212.226.7

IP 213.163.89.106 and IP 213.163.89.107> RIPE Network Coordination Centre
( Réseaux IP Européens (RIPE, French for "European IP Networks")
netname: HSSN-NET
descr: High Secured Space Network Group
country: NL

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\David\Application Data\Real\Update\setup3.12\setup.exe
c:\documents and settings\David\Application Data\Real\Update\setup3.10\setup.exe
c:\windows\system32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000004-20021102}.dat
c:\windows\system32\DVCState-{00000002-00000000-00000008-00001102-00000004-20021102}.dat

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
You have the following installed:
My.Freeze.com Toolbar with NetAssistant
I recommend that you uninstall the program and remove the program folder. This download site for it has a bad reputation and the program itself has adware and spyware.

Go to the Control Panel> Internet Options> Privacy tab> Sites button> paste the following into the dialog box> Click on Block after each:
*.click.freeze.com
*.freeze.com
(Be sure to include the asterisk as it is a wild card)

Please update Java to v6u21. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

 

[bsonln]

OK, ran ComboFix with the script that you provided. Log is attached. It deleted some files. Took off Java and followed all your instructions about the Mr.Freeze Toolbar. Now Norton 360 isn't working right. Incoming and outgoing emails aren't portected and the antivirus won't come on, even if I tell it to come on. It wants me to update the program to V4.

 

[Bobbye]

A comparison of the Symantec/Norton Services and Drivers in the original DDS log and the current Combofix log shows 2 Services isn't running. Please do this:

Click on Start> Run> type in services.msc> double click on each of the following and set as instructed:
NAVEX15> set the Startup type to Automatic>Start the Service.
NAVENG> set the Startup type to Automatic> Start the Service
Exit Services

Reboot the computer
====================================
Choose v2.0.4
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
===========================
FYI:
Name: NAVEX15
Filename: navex15.sys
Command: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070512.017\NavEx15.Sys
Description: Driver related to the virus definitions of Symantec Antivirus.
File Location: C:\Program Files\Common Files\Symantec Shared\virusdefs\20070512.017\navex15.sys
Service Name: NAVEX15
Service Display Name: NAVEX15
HijackThis Category: O23 Entry
==============================
Name: NAVENG
Filename: naveng.sys
Command: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050203.008\NAVENG.Sys
Description: Driver used by Symantec Antivirus.
File Location: c:\program files\common files\symantec shared\virusdefs\20070512.017\naveng.sys
Service Name: NAVENG
Service Display Name: NAVENG
HijackThis Category: O23 Entry

 

[bsonln]

I now have V4 of Norton 360 running and I couldn't find either of the files. Intrusions keep happening and redirects seem more frequent on Firefox.


Here is the Hijack This Log:



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:35:05 PM, on 7/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iolo\System Mechanic\SMTrayNotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.1.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.1.0.32\IPSBHO.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.1.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [ATI Scheduler] "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - https://gianteagle.lifepics.com/net/Uploader/LPUploader45.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175374986137
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10111 bytes

 

[Bobbye]

It's very possible that some files became corrupt when you were running programs on your own- included the aborted Combofix. I suggest you reinstall Norton. You should have the setup. Go offline and reinstall it. Then go back online and make sure it's updated.

Intrusions keep happening and redirects seem more frequent on Firefox.

What 'intrusions'? Did you read what I left in my Post #12? If Norton is blocking the site, they are not intrusions! They are scans looking for unprotected systems. Turn the alert off if it bothers you.

Hopefully, the following will help with the searches. IE wasn't complete and Firefox has no default homepage or seachurl set.

Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all Windows except HijackThis and click on "Fix Checked"
==================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Extra::
Firefox::
Firefox-: -  ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\8bvdn7gs.default\
Firefox-: prefs.js - STARTUP.HOMEPAGE
Firefox-: prefs.js - SEARCH.DEFAULTURL

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please report the computer when above has finished. Advise of any remaining problems.

 

[bsonln]

I guess what bothers me is that the intrusions recently started when I became infected. I understand what you are saying, but I guess it's just the idea that the same IP addresses are continuously trying to get into my machine. I realize that Norton is doing it's job, it's just that I hardly ever saw this activity before. Obviously, the redirects are the main issue right now.

 

[bsonln]

Still getting redirects from Google.


Attached is my ComboFix Log

 

[Bobbye]

but I guess it's just the idea that the same IP addresses are continuously trying to get into my machine.

Don't take it personally! These same IPs are scanning thousands of other systems looking for vulnerabilities. IPs aren't 'random'- they belong to a specific machine. If you have a bad guy trying to hack or crack, it is reasonable to see the same IP repeating. Sometimes you will notice they are scanning different ports on your machine. Would it make you feel any better if I told you that I once saw the same IP attempt to access my system 200 times in a row!! They were using the Gnutella port which at that time, was a big music downloading site like LimeWire. What happened was it created a DOS> Denial of Service attack and I could do nothing but sit here and watch the firewall log the blocked scans- because I couldn't do anyting else!But they never got in!!!

The IP info I left for you are frequent flyers. The APNIC, KORNICK and RIPE databases put out a lot of these scans.

Are you seeing this:

Or this:

Note the "stop notifying me" button on each image.

Combofix script to follow. I also need you to describe the 'redirect' exactly as to what is happening, which browser, from Address Bar or Search box

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

========================================================================

You're all mine now