Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some redirect / ad pop-up malware


  • This topic is locked This topic is locked
19 replies to this topic

#16 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 01 October 2010 - 03:16 PM

Hello Gringo,

Here is my latest ComboFix report with the most recent script you had me run.
No problems experienced. I think my computer is doing well -- I recently purchased Norton 360 for Internet Security, as you may have noticed.

ComboFix 10-09-30.05 - Benjamin J. Park 10/01/2010 15:49:39.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1428 [GMT -4:00]
Running from: c:\documents and settings\Benjamin J. Park\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Benjamin J. Park\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

FILE ::
"c:\documents and settings\Benjamin J. Park\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7aff2112.class"
"c:\documents and settings\Benjamin J. Park\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Benjamin J. Park\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7aff2112.class
c:\documents and settings\Benjamin J. Park\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url

.
((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-10-01 17:38 . 2009-05-11 15:30 1099592 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\ICUBackup.exe
2010-10-01 17:38 . 2008-11-04 22:24 1033680 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\ipworks8.dll
2010-10-01 17:38 . 2003-10-03 13:37 139776 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\ZipDll.dll
2010-10-01 17:38 . 2003-07-15 19:32 122368 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\UnzDll.dll
2010-10-01 17:38 . 2009-02-01 12:58 2065408 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\VGCAP.DLL
2010-10-01 17:38 . 2007-10-22 12:32 3273728 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\Cdcdll.dll
2010-10-01 17:38 . 2007-03-02 19:49 68168 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\ICUII5.exe
2010-10-01 17:38 . 2007-01-24 13:30 835584 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\IMW32API.DLL
2010-10-01 17:38 . 2010-10-01 19:27 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\icu2
2010-10-01 17:38 . 2010-02-11 15:20 6335800 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\ICUII.exe
2010-10-01 17:38 . 2009-04-21 13:39 163664 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\icu2\UNWISE.EXE
2010-09-28 19:32 . 2010-09-28 19:32 -------- d-----w- c:\program files\ESET
2010-09-28 03:12 . 2010-09-28 03:12 388096 ----a-r- c:\documents and settings\Benjamin J. Park\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 03:12 . 2010-09-28 03:12 -------- d-----w- c:\program files\Trend Micro
2010-09-28 02:52 . 2010-09-28 02:52 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Malwarebytes
2010-09-28 02:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-28 02:52 . 2010-09-28 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 02:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-28 02:52 . 2010-09-28 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-28 00:52 . 2010-09-28 00:52 503808 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7afc5d7f-n\msvcp71.dll
2010-09-28 00:52 . 2010-09-28 00:52 499712 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7afc5d7f-n\jmc.dll
2010-09-28 00:52 . 2010-09-28 00:52 348160 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7afc5d7f-n\msvcr71.dll
2010-09-28 00:52 . 2010-09-28 00:52 61440 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-606eb9a3-n\decora-sse.dll
2010-09-28 00:52 . 2010-09-28 00:52 12800 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-606eb9a3-n\decora-d3d.dll
2010-09-28 00:51 . 2010-09-28 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-09-28 00:51 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-28 00:29 . 2010-09-28 00:29 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Foxit Software
2010-09-28 00:28 . 2010-09-28 00:28 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Foxit
2010-09-28 00:27 . 2010-09-28 00:27 -------- d-----w- c:\program files\Foxit Software
2010-09-25 15:31 . 2010-09-25 15:31 -------- d-----w- c:\program files\Symantec
2010-09-25 15:31 . 2010-09-25 15:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-25 15:31 . 2010-09-25 15:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-25 15:30 . 2010-09-28 02:20 -------- d-----w- c:\windows\system32\drivers\N360
2010-09-25 15:30 . 2010-09-25 15:30 -------- d-----w- c:\program files\Norton 360
2010-09-23 23:45 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-09-23 23:45 . 2010-02-04 01:40 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-09-23 23:45 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-09-23 23:45 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-09-13 17:32 . 2010-09-13 17:32 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 17:38 . 2008-11-25 21:51 -------- d-----w- c:\program files\icuii
2010-09-30 23:06 . 2008-12-07 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-28 19:28 . 2005-08-29 05:04 -------- d-----w- c:\program files\Google
2010-09-28 00:50 . 2003-10-18 20:08 -------- d-----w- c:\program files\Java
2010-09-28 00:37 . 2004-05-08 17:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-28 00:30 . 2004-05-08 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-28 00:29 . 2004-02-18 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-28 00:29 . 2003-10-18 20:09 -------- d-----w- c:\program files\Viewpoint
2010-09-28 00:23 . 2003-09-07 04:59 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-28 00:20 . 2003-09-07 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-25 15:40 . 2003-09-07 07:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 15:34 . 2009-12-16 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-25 15:31 . 2010-09-25 15:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-09-25 15:31 . 2010-09-25 15:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-09-25 15:29 . 2009-12-28 16:11 -------- d-----w- c:\program files\NortonInstaller
2010-09-24 16:53 . 2009-12-28 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-14 22:20 . 2009-04-28 23:32 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Free Download Manager
2010-09-13 18:05 . 2007-10-13 05:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-13 17:53 . 2003-11-29 18:51 -------- d-----w- c:\program files\iTunes
2010-09-13 17:51 . 2004-04-01 05:30 -------- d-----w- c:\program files\iPod
2010-09-13 17:51 . 2007-09-06 06:51 -------- d-----w- c:\program files\Common Files\Apple
2010-09-13 17:43 . 2003-10-18 20:56 -------- d-----w- c:\program files\QuickTime
2010-09-12 23:25 . 2010-07-20 21:38 452104 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Real\Update\setup3.12\setup.exe
2010-09-08 21:52 . 2004-07-06 20:14 -------- d-----w- c:\program files\Lavasoft
2010-09-08 21:52 . 2010-07-03 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 13:29 . 2007-12-17 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-31 16:11 . 2010-08-31 16:11 3401880 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-08-31 15:55 . 2010-08-31 15:55 275096 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-08-31 15:39 . 2010-08-31 15:39 3734536 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-13 21:56 . 2008-05-11 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-04 20:17 . 2010-06-09 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-03 20:19 . 2010-08-03 20:19 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Tific
2010-07-09 14:26 . 2010-09-01 02:38 475136 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2006-04-18 05:23 . 2006-04-18 05:24 123392 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-01-22 21:04 . 2004-07-27 20:58 56 --sh--r- c:\windows\system32\F14AC3F7D7.sys
2006-12-26 10:28 . 2004-07-27 20:58 11480 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-25_14.02.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 01:07 . 2010-09-28 01:07 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat
+ 2010-09-28 01:06 . 2010-09-28 01:06 16384 c:\windows\Temp\Perflib_Perfdata_160.dat
+ 2009-10-25 15:25 . 2009-05-18 21:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
- 2009-10-25 15:25 . 2009-05-18 18:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2010-09-28 02:20 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0403000.005\srtspx.sys
+ 2010-09-25 17:11 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0402000.00C\srtspx.sys
- 2008-01-29 16:01 . 2009-05-18 18:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-01-29 16:01 . 2009-05-18 21:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-28 01:37 . 2010-09-28 01:37 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ARPPRODUCTICON.exe
- 2010-03-09 23:48 . 2010-03-09 23:47 153376 c:\windows\system32\javaws.exe
+ 2010-09-28 00:51 . 2010-07-17 09:00 153376 c:\windows\system32\javaws.exe
+ 2010-09-28 00:51 . 2010-07-17 09:00 145184 c:\windows\system32\javaw.exe
- 2010-03-09 23:48 . 2010-03-09 23:47 145184 c:\windows\system32\javaw.exe
+ 2010-09-28 00:51 . 2010-07-17 09:00 145184 c:\windows\system32\java.exe
- 2010-03-09 23:48 . 2010-03-09 23:47 145184 c:\windows\system32\java.exe
+ 2008-01-29 16:02 . 2008-04-17 20:12 107368 c:\windows\system32\GEARAspi.dll
- 2008-01-29 16:02 . 2008-04-17 17:12 107368 c:\windows\system32\GEARAspi.dll
- 2009-10-25 15:25 . 2008-04-17 17:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2009-10-25 15:25 . 2008-04-17 20:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2010-09-28 02:20 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0403000.005\symtdiv.sys
+ 2010-09-28 02:20 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0403000.005\symtdi.sys
+ 2010-09-28 02:20 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0403000.005\symefa.sys
+ 2010-09-28 02:20 . 2010-02-04 01:40 328752 c:\windows\system32\drivers\N360\0403000.005\symds.sys
+ 2010-09-28 02:20 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0403000.005\srtsp.sys
+ 2010-09-28 02:20 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0403000.005\ironx86.sys
+ 2010-09-28 02:20 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys
+ 2010-09-25 17:11 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0402000.00C\symtdiv.sys
+ 2010-09-25 17:11 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0402000.00C\symtdi.sys
+ 2010-09-25 17:11 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0402000.00C\symefa.sys
+ 2010-09-25 17:11 . 2010-02-04 01:40 328752 c:\windows\system32\drivers\N360\0402000.00C\symds.sys
+ 2010-09-25 17:11 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0402000.00C\srtsp.sys
+ 2010-09-25 17:11 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys
+ 2010-09-25 17:11 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys
+ 2010-09-28 00:51 . 2010-09-28 00:51 180224 c:\windows\Installer\c0b66.msi
+ 2010-09-28 03:12 . 2010-09-28 03:12 1094656 c:\windows\Installer\74050f.msi
+ 2010-09-28 01:37 . 2010-09-28 01:37 1223680 c:\windows\Installer\19a5d8.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-18 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-18 569344]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2006-10-3 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\icuii\\ICUII.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [9/27/2010 10:20 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [9/27/2010 10:20 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [9/1/2010 9:39 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [9/27/2010 10:20 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [9/27/2010 10:20 PM 116784]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 3:45 PM 8576]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [9/27/2010 10:20 PM 126392]
R2 NICSer_WPC54GS;NICSer_WPC54GS;c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [10/3/2006 2:15 PM 455680]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [10/25/2006 5:31 PM 7424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2010 4:15 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100930.005\IDSXpx86.sys [10/1/2010 12:09 PM 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 8:28 PM 135664]
S2 VAgnt Helper Service;VAgnt Helper Service;c:\windows\system32\XYNTService.exe [4/8/2010 11:43 AM 49152]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [11/7/2002 5:04 AM 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 5:24 AM 64088]
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 20:12]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004Core.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004UA.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page =
mLocal Page =
uInternet Settings,ProxyOverride = *.local
Trusted Zone: newbienudes.com\www
Trusted Zone: turbotax.com
DPF: ConferenceRoom Java Client - hxxp://irc.theamateurchat.com/java/cr.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\Firefox\Profiles\g0zwg4l1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin9.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-01 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c7,18,3d,05,82,8a,b8,a1,59,b9,12,34,68,12,83,d7,aa,54,16,01,4b,
f5,b9,28,14,25,10,a8,0c,d9,f1,33,44,d5,5f,b2,51,12,0d,9f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-01 16:09:11
ComboFix-quarantined-files.txt 2010-10-01 20:08
ComboFix2.txt 2010-09-25 14:05
ComboFix3.txt 2010-09-24 02:14

Pre-Run: 6,321,184,768 bytes free
Post-Run: 6,346,125,312 bytes free

- - End Of File - - EFEAC0D7D876DBC9ECDCE8212F98F0BD


BC AdBot (Login to Remove)

 


m

#17 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:45 PM

Posted 01 October 2010 - 03:48 PM

Hello

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

please read this great article by miekiemoes How to prevent Malware:

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#18 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 02 October 2010 - 01:43 PM

Dear Gringo,

Thank you so much for this help!

I will be making a humble donation in your honor...
Thanks again for all you did.

Jim

#19 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:45 PM

Posted 02 October 2010 - 01:44 PM

Thank you very much and you are most welcome


May you surf in peace.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#20 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:45 PM

Posted 05 October 2010 - 04:07 AM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users