Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiMalware 2009 infection, devolved from there


  • This topic is locked This topic is locked
10 replies to this topic

#1 skyduf

skyduf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 12 April 2009 - 12:58 AM

Unable to run MalwareBytes, or Adaware or Spybot S&D, it's disabled my usb drives, IE and system Any ideas? Please help...thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:43 PM, on 4/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\svcho.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.latimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://news.latimes.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Los Angeles Times
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://config.latimes.trb/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.latimes.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.24; 172.25; 172.26; 172.23;<local>
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - Global Startup: VPN Client.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://news.latimes.com
O15 - Trusted Zone: myemail.latimes.com
O15 - Trusted Zone: signal.latimes.com
O15 - Trusted Zone: myemail.latimes.com (HKLM)
O15 - Trusted Zone: signal.latimes.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lat.ad.trb
O17 - HKLM\Software\..\Telephony: DomainName = lat.ad.trb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lat.ad.trb
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4416 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 12 April 2009 - 02:27 AM

Hello skyduf,

Posted Image

By your description I'm going to guess you have a rootkit along with everything else.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

ComboFix is not likely to run at first. You'll have to rename ComboFix.exe to skyduf.exe and then try to run it.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 skyduf

skyduf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 12 April 2009 - 05:30 PM

Hey Tea:

Thanks for your reply. I downloaded, renamed and started to run ComboFix, It prompted me to disable the Symantec Antivirus program's realtime scanner running on the laptop. However, i can't disable the scanning, nor can I uninstall the antivirus protection temporarily (need an uninstall password). The infected laptop is my husband's work computer (L.A times journalist). Can I run ComboFix anyway? I won't until you weigh in. Thanks

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 12 April 2009 - 05:45 PM

Go ahead and run it. :thumbup2:

You're welcome, and thank you for asking first.:)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 skyduf

skyduf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 12 April 2009 - 06:27 PM

Found a way to uninstall the antivirus program temporaily. then ran comboFix. Here's the log, followed by the HJT one

ComboFix 09-04-13.07 - news 2009-04-12 16:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1720 [GMT -7:00]
Running from: c:\documents and settings\news\Desktop\skyduf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\svcho.exe
c:\windows\syssvc.exe
c:\windows\system32\drivers\UACxjcbehew.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\UACfthkylkd.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjoliqgqv.log
c:\windows\system32\UACltobiqhj.dll
c:\windows\system32\UACmtbqwiop.dat
c:\windows\system32\UACsswueqoa.log
c:\windows\system32\UACtnipxdad.dll
c:\windows\system32\UACubkknxld.dll
c:\windows\system32\UACwuwtyxvr.log
c:\windows\system32\UACxexwkhsr.dll

----- BITS: Possible infected sites -----

hxxp://laccvmwsus01.lat.ad.trb
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-13 23:13 . 2009-04-13 23:13 53248 ----a-w c:\temp\catchme.dll
2009-04-11 04:53 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-11 02:09 . 2009-04-11 02:09 -------- d-----w c:\program files\Panda Security
2009-04-11 01:43 . 2009-04-11 01:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 01:43 . 2009-04-11 01:43 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 23:19 . 2009-04-10 23:19 -------- d-----w c:\program files\Trend Micro
2009-04-03 19:04 . 2009-04-03 19:34 -------- d-----w c:\program files\NoAdware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 22:52 . 2007-10-31 00:56 -------- d-----w c:\program files\Symantec
2009-04-12 22:52 . 2007-10-31 00:56 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 22:52 . 2007-10-31 00:56 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-12 22:52 . 2007-10-31 00:56 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-09 10:19 . 2004-08-04 07:17 1846272 ----a-w c:\windows\system32\win32k.sys
2008-12-20 18:12 . 2008-07-18 01:58 153856 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 20:46 . 2008-11-15 20:46 22992 ----a-w c:\documents and settings\xsxtechs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-06 01:14 . 2007-11-06 01:14 22992 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 04:2008-02-08 04:46 46:38 . c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 04:2008-02-08 04:46 46:12 . c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 04:2008-02-08 04:46 46:20 . c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 04:2008-02-08 04:46 46:16 . c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 04:2008-02-08 04:46 46:56 . c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 04:2008-02-08 04:46 46:18 . c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 04:2008-02-08 04:46 46:36 . c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 00:2007-03-17 00:27 27:00 . c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 00:2007-03-17 00:27 27:00 . c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 00:2007-03-17 00:27 27:00 . c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 19:2007-07-20 19:47 47:44 . c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 04:2008-02-08 04:46 46:12 . c:\program files\mozilla firefox\plugins\TcpPServ.dll
2008-07-18 01:2007-10-30 23:51 14:15 . c:\program files\mozilla firefox\components\jar50.dll
2008-07-18 01:2007-10-30 23:51 14:15 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-18 01:2007-10-30 23:51 14:15 . c:\program files\mozilla firefox\components\myspell.dll
2008-07-18 01:2007-10-30 23:51 14:16 . c:\program files\mozilla firefox\components\spellchk.dll
2008-07-18 01:2007-10-30 23:51 14:17 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-09-05 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ocsinstall.bat
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\JavaSoft\\JRE\\1.3.1_01\\bin\\javaw.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##lantaltiris03#Software#Microsoft#Office2003STD]
\Shell\AutoRun\command - Z:\SETUP.EXE /AUTORUN
\Shell\configure\command - Z:\SETUP.EXE
\Shell\install\command - Z:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38c95fa0-2099-11de-a0e3-001c2323eae7}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://news.latimes.com/
uInternet Settings,ProxyServer = proxy.latimes.com:80
uInternet Settings,ProxyOverride = 172.24; 172.25; 172.26; 172.23;<local>
Trusted Zone: latimes.com\myemail
Trusted Zone: latimes.com\signal
Trusted Zone: latimes.com\myemail
Trusted Zone: latimes.com\signal
FF - ProfilePath - c:\documents and settings\news\Application Data\Mozilla\Firefox\Profiles\a7rz8sme.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-13 16:16
ComboFix-quarantined-files.txt 2009-04-13 23:15

Pre-Run: 49,837,772,800 bytes free
Post-Run: 49,843,757,056 bytes free

129 --- E O F --- 2009-03-31 15:06






HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:48 PM, on 4/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.latimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://config.latimes.trb/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.latimes.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.24; 172.25; 172.26; 172.23;<local>
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://news.latimes.com
O15 - Trusted Zone: myemail.latimes.com
O15 - Trusted Zone: signal.latimes.com
O15 - Trusted Zone: myemail.latimes.com (HKLM)
O15 - Trusted Zone: signal.latimes.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lat.ad.trb
O17 - HKLM\Software\..\Telephony: DomainName = lat.ad.trb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lat.ad.trb
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 3461 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 12 April 2009 - 06:32 PM

Hello,

Yes, it was a rootkit. :thumbup2: Looks pretty good now. How is it running please? :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 skyduf

skyduf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 13 April 2009 - 12:41 AM

Tea:

Thanks so much. Seems to be running well, no redirects and my usb ports work again. However, during the process, Mozilla Firefox took over as my default browser (which actually may be a good thing in terms of security) but Internet Explorer is the browser my husband is used to using....any ideas on how to get it back to IE....can I restore to an earlier time or will that mees up our progress?

Skyduf

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 13 April 2009 - 12:53 AM

Hello,

You're welcome. :thumbup2:

No, don't restore. Just open IE and set is as default browser....that should take care of it. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

You've reinstalled Norton yes? :step4:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 skyduf

skyduf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 13 April 2009 - 01:05 AM

Great, thanks we're back to IE now. Since I uninstalled the Symantec Antivirus programand it's the corporate copy to run ComboFix, I don't have a copy of it at the moment. I'll put avast on it for now until my husband can get a copy from his help desk. I really appreciate your expert advice and will send a donation to you guys. thanks again....skyduf

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 13 April 2009 - 01:08 AM

You're most welcome. :step1:

I'm glad you had a back up.......no wonder you were so willing to uninstall Norton. :step4: Glad everything is all right now. :thumbup2:

Thanks for the donation....much appreciated. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:20 AM

Posted 20 April 2009 - 08:06 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by teacup61, 20 April 2009 - 09:30 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users