Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Twitter Fixes Bug That Gives Unauthorized Access to Direct Messages

Featured Deal: Get 98% off the 2018 CompTIA Certification Training Bundle: Lifetime Access Deal

Photo

google links being misdirected, random pop up pages in Mozilla

Started by bbcoachrob , Aug 12 2010 01:36 PM

  • Please log in to reply
5 replies to this topic

#1 bbcoachrob

bbcoachrob

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:07:06 AM

Posted 12 August 2010 - 01:36 PM

Hello:

basics
Sony Vaio laptop on wireless dsl network
running XP with Avira personal antivir and firefox is main browser

a) almost all google links are misdirected to other ad links
b) random pages start popping up out of nowhere while my browser is open
c) I cannot, no matter how hard i try,, get the windows security firewall enabled. I am either missing something, or the avira has a block on it.

I have two problems following your directions:

a) I run dds, but it never gives an option to save, then dissolves after scanning wihtout leaving any documents.
b) I cannot figure out how to attach the Gmer file. it follows
Arl.txt follows

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-12 11:31:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\uxrdypow.sys


---- System - GMER 1.0.15 ----

SSDT F8BA98D6 ZwCreateKey
SSDT F8BA98CC ZwCreateThread
SSDT F8BA98DB ZwDeleteKey
SSDT F8BA98E5 ZwDeleteValueKey
SSDT F8BA98EA ZwLoadKey
SSDT F8BA98B8 ZwOpenProcess
SSDT F8BA98BD ZwOpenThread
SSDT F8BA98F4 ZwReplaceKey
SSDT F8BA98EF ZwRestoreKey
SSDT F8BA98E0 ZwSetValueKey
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF854B496]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 1D4 804E2840 4 Bytes JMP B8F8BA98
init C:\WINDOWS\system32\drivers\tifmsony.sys entry point in "init" section [0xF8720100]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF7D47680]
.rsrc C:\WINDOWS\system32\DRIVERS\tcpip.sys entry point in ".rsrc" section [0xEF5A6A94]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[476] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[476] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1292] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0182000A
.text C:\WINDOWS\System32\svchost.exe[1292] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3128] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 81623EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\tcpip.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 12 August 2010 - 03:21 PM

Hello bbcoachrob ,



Don't worry about DDS for now, or attaching anything. This is fine and gmer showed me exactly what I need to know for this. thumbup2.gif

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to bbcoachrob.exe and try again.

When you've run ComboFix, please try DDS again and post it if it works. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 bbcoachrob

bbcoachrob
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:07:06 AM

Posted 13 August 2010 - 07:14 PM

You are so kind to spend your time doing this helping!

combofix below imbedded.

dds worked and attached. I could not figure out how to zip the attach file so I just saved it as a txt document. If you give me instructions how to zip it, then I will do so if necessary.
thanks for your help


ComboFix 10-08-12.03 - Liz 08/13/2010 16:56:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT -7:00]
Running from: c:\documents and settings\Liz\My Documents\Downloads\bbcoachrobFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Liz\Recent\Thumbs.db
C:\LOG19.tmp
C:\LOG3.tmp
C:\LOG51.tmp
C:\LOG57.tmp
C:\LOG6.tmp
C:\LOG8.tmp
C:\LOGC3.tmp

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-10 04:09 . 2010-08-10 03:50 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-08-10 03:48 . 2010-08-12 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-10 03:39 . 2010-08-10 03:39 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes
2010-08-10 03:39 . 2010-08-10 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 03:39 . 2010-08-13 20:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 23:39 . 2010-08-08 23:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-08 23:39 . 2010-08-12 20:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-08 17:52 . 2010-08-08 18:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-08-06 16:59 . 2010-08-06 16:59 503808 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b190802-n\msvcp71.dll
2010-08-06 16:59 . 2010-08-06 16:59 499712 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b190802-n\jmc.dll
2010-08-06 16:59 . 2010-08-06 16:59 348160 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b190802-n\msvcr71.dll
2010-08-06 16:59 . 2010-08-06 16:59 12800 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d02c30a-n\decora-d3d.dll
2010-08-06 16:59 . 2010-08-06 16:59 61440 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2d02c30a-n\decora-sse.dll
2010-08-04 05:24 . 2010-08-04 05:24 -------- d-----w- c:\documents and settings\Liz\Application Data\Lexmark Productivity Studio
2010-08-04 05:22 . 2010-08-04 05:22 -------- d-----w- c:\program files\Lexmark Toolbar
2010-08-04 04:58 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-08-04 04:58 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-04 04:58 . 2001-08-18 05:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-08-04 04:58 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-08-04 04:58 . 2007-01-24 02:40 65536 ----a-w- c:\windows\system32\lxddcaps.dll
2010-08-04 04:58 . 2007-01-10 00:13 692224 ----a-w- c:\windows\system32\lxdddrs.dll
2010-08-04 04:58 . 2006-10-07 00:08 69632 ----a-w- c:\windows\system32\lxddcnv4.dll
2010-07-30 02:25 . 2010-07-30 02:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\tjnet
2010-07-29 01:46 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Liz\Application Data\mjusbsp\in00000\setup.exe
2010-07-29 01:46 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Liz\Application Data\mjusbsp\ar00000\install.exe
2010-07-29 00:22 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Liz\Application Data\mjusbsp\Upgrade\setup1.exe
2010-07-29 00:22 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Liz\Application Data\mjusbsp\Upgrade\install1.exe
2010-07-29 00:21 . 2010-08-08 06:39 -------- d-----w- c:\documents and settings\Liz\Application Data\mjusbsp
2010-07-19 04:28 . 2010-07-19 04:28 2605008 ----a-w- c:\documents and settings\Liz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 18:49 . 2010-06-25 18:35 -------- d-----w- c:\program files\Lx_cats
2010-08-13 16:10 . 2010-06-16 19:36 -------- d-----w- c:\documents and settings\Liz\Application Data\U3
2010-08-12 22:27 . 2003-09-17 16:42 1 ----a-w- c:\documents and settings\Liz\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-12 17:58 . 2010-08-12 17:22 1312 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-08-12 03:30 . 2010-08-12 03:27 6328 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-10 03:23 . 2008-03-16 18:26 -------- d-----w- c:\program files\Common Files\Java
2010-08-10 03:21 . 2008-03-16 18:26 -------- d-----w- c:\program files\Java
2010-08-04 05:23 . 2010-06-25 18:35 -------- d-----w- c:\program files\Lexmark 2500 Series
2010-07-17 12:00 . 2003-09-17 16:33 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-08 23:21 . 2008-03-16 18:22 20664 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-29 02:06 . 2010-06-29 02:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 19:21 . 2010-06-25 19:21 -------- d-----w- c:\program files\MSBuild
2010-06-25 19:20 . 2010-06-25 19:20 -------- d-----w- c:\program files\Reference Assemblies
2010-06-25 19:00 . 2010-06-25 18:59 -------- d-----w- c:\program files\Common Files\Logitech
2010-06-25 18:59 . 2010-06-25 18:59 -------- d-----w- c:\program files\Windows Media Components
2010-06-25 18:58 . 2010-06-25 18:57 -------- d-----w- c:\program files\Logitech
2010-06-25 18:58 . 2010-06-25 18:58 81920 ------r- c:\windows\bwUnin-6.1.4.36-8876480L.exe
2010-06-25 18:58 . 2008-03-16 18:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-06-16 22:36 . 2008-03-16 18:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-16 18:25 . 2008-03-16 17:30 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-14 14:31 . 2008-03-16 17:28 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 23:58 . 2010-06-11 23:58 503808 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24f202de-n\msvcp71.dll
2010-06-11 23:58 . 2010-06-11 23:58 499712 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24f202de-n\jmc.dll
2010-06-11 23:58 . 2010-06-11 23:58 348160 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24f202de-n\msvcr71.dll
2010-06-11 23:58 . 2010-06-11 23:58 61440 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46987e93-n\decora-sse.dll
2010-06-11 23:58 . 2010-06-11 23:58 12800 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46987e93-n\decora-d3d.dll
2010-06-09 06:08 . 2003-09-17 10:26 2839904 -c--a-w- c:\documents and settings\All Users\Application Data\{B04ACE34-3217-4750-80C8-FF0526780A60}\UpdateMyDrivers.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2003-09-17 39408]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2010-06-25 16384]
"cdloader"="c:\documents and settings\Liz\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"Hcontrol"="c:\windows\Hcontrol.exe" [2002-01-08 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-07-06 291504]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-11 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-11 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-11 61440]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Liz\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-6-25 169472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Documents and Settings\\Liz\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/11/2010 2:39 PM 135336]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/16/2008 2:19 AM 71961]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/17/2003 5:10 AM 136176]
S3 PID_0960_V;Logitech ClickSmart 420(PID_0960_V);c:\windows\system32\drivers\LVVIMULB.SYS [6/25/2010 12:00 PM 163328]
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2003-09-17 12:10]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2003-09-17 12:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Liz\Application Data\Mozilla\Firefox\Profiles\spvmsmhd.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-13 17:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-13 17:05:06
ComboFix-quarantined-files.txt 2010-08-14 00:05

Pre-Run: 68,105,826,304 bytes free
Post-Run: 68,382,052,352 bytes free

- - End Of File - - 02E30BADF9D8E822F4AB2696AFFF373B

Attached Files


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 13 August 2010 - 07:45 PM

Hello,

You're welcome.smile.gif

Don't worry about attaching anything. I actually prefer to see them copy and pasted just like you did the ComboFix report. thumbup2.gif

How is it running now?

I see you have Malwarebytes already. Please make sure it's updated and have scan with it......quick scan will be fine......and post the report in your reply, if there ids anything to report. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 bbcoachrob

bbcoachrob
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:07:06 AM

Posted 13 August 2010 - 10:29 PM

I havent surfed any yet to know how things are.. let me try it out.. here is the scan report. thank you again for everything you do for people like me.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4426

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/13/2010 8:26:28 PM
mbam-log-2010-08-13 (20-26-28).txt

Scan type: Quick scan
Objects scanned: 124905
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 13 August 2010 - 10:52 PM

Okay....let me know. thumbup2.gif ComboFix got the rootkit, sp I suspect it's better now. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·