Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Patched c.JED


  • This topic is locked This topic is locked
5 replies to this topic

#1 lbowman

lbowman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 01 November 2010 - 03:29 PM

AVG Resident Shield kept popping up saying my explorer.exe was infected with the Trojan Horse Patched c.JED. I had been following a thread that told be how to reinstall explorer.exe and that worked. Then I tried Kaspersky Virus Removal Tool. That found some malware and removed it. Things seemed to be ok. Now, everything seems to have slowed down again. Sometimes I'm able to use my browser fine, and then it slows way down. I've tried all of the computer fine tuning type tips. Please help. Here are the logs you requested, but I wasn't able to save the file from the GMER program. I could run the program, then every time I tried to save it, the computer would freeze. I restarted and tried 3 times.


DDS (Ver_10-10-31.01) - NTFSx86
Run by User at 14:28:54.32 on Mon 11/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.357 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [\\Desktop\EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\docume~1\user\locals~1\temp\E_S5.tmp" /EF "HKCU"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
StartupFolder: c:\docume~1\user\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\user\desktop\virus removal tool1\setup_9.0.0.722_30.10.2010_22-08\startup.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 35384502;35384502 Boot Guard Driver;c:\windows\system32\drivers\35384502.sys [2010-10-11 37392]
R0 38165222;38165222 Boot Guard Driver;c:\windows\system32\drivers\38165222.sys [2010-10-30 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-12 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-17 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-17 173104]
R1 35384501;35384501;c:\windows\system32\drivers\35384501.sys [2010-10-11 128016]
R1 38165221;38165221;c:\windows\system32\drivers\38165221.sys [2010-10-30 128016]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-17 501888]
R1 setup_9.0.0.722_30.10.2010_22-08drv;setup_9.0.0.722_30.10.2010_22-08drv;c:\windows\system32\drivers\3816522.sys [2010-10-30 315408]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-17 116784]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-10-24 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-10-24 724152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1357464]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-17 126392]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2010-1-11 82944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-28 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101028.001\IDSXpx86.sys [2010-10-19 341880]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-4 15008]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101030.003\NAVENG.SYS [2010-10-30 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101030.003\NAVEX15.SYS [2010-10-30 1371184]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-14 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-9-4 25728]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3f.tmp --> c:\windows\system32\3F.tmp [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2006-1-29 91841]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-1-22 358736]

=============== Created Last 30 ================

2010-10-30 19:27:31 37392 ----a-w- c:\windows\system32\drivers\38165222.sys
2010-10-30 19:27:31 315408 ----a-w- c:\windows\system32\drivers\3816522.sys
2010-10-30 19:27:31 128016 ----a-w- c:\windows\system32\drivers\38165221.sys
2010-10-24 21:52:12 511328 ----a-w- c:\program files\common files\microsoft shared\capicom\CAPICOM.DLL
2010-10-24 21:52:10 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-10-24 21:52:10 2233016 ----a-w- c:\windows\system32\Incinerator.dll
2010-10-24 21:51:59 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-10-24 21:51:59 11776 ----a-w- c:\windows\system32\smrgdf.exe
2010-10-24 21:51:53 -------- d-----w- c:\program files\iolo
2010-10-24 21:46:48 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-10-24 21:41:37 -------- d-----w- c:\docume~1\user\applic~1\iolo
2010-10-24 21:41:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\iolo
2010-10-24 02:48:03 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-10-23 23:03:33 -------- d-----w- c:\program files\iPod
2010-10-23 23:02:48 -------- d-----w- c:\program files\iTunes
2010-10-23 23:02:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-23 23:00:38 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-10-23 23:00:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-10-18 00:36:17 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-18 00:36:16 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-18 00:36:16 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-18 00:36:15 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-18 00:36:15 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-18 00:36:14 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-18 00:36:14 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-18 00:36:13 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-18 00:34:16 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-10-16 01:18:30 -------- d-----w- c:\docume~1\user\applic~1\Mobile Atlas Creator
2010-10-16 01:13:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-16 01:13:30 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-13 00:06:06 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:05:11 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 23:48:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-12 23:48:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-12 23:48:30 -------- d-----w- c:\program files\Symantec
2010-10-12 23:48:30 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-12 23:46:12 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-12 23:45:47 -------- d-----w- c:\program files\Norton Internet Security
2010-10-12 23:45:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-10-12 23:35:36 -------- d-----w- c:\windows\Internet Logs
2010-10-12 23:20:05 -------- d-----w- c:\program files\NortonInstaller
2010-10-12 12:16:40 -------- d--h--w- c:\windows\PIF
2010-10-12 00:23:51 37392 ----a-w- c:\windows\system32\drivers\35384502.sys
2010-10-12 00:23:51 128016 ----a-w- c:\windows\system32\drivers\35384501.sys
2010-10-12 00:23:50 315408 ----a-w- c:\windows\system32\drivers\3538450.sys
2010-10-11 01:58:12 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AVG Security Toolbar
2010-10-11 01:43:16 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2010-10-11 01:38:39 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-11 01:32:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-11 00:38:05 -------- d--h--w- C:\$AVG
2010-10-11 00:00:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-09 01:23:07 -------- d-----w- c:\docume~1\user\applic~1\MahJong Suite
2010-10-09 01:23:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\TreeCardGames
2010-10-09 01:22:47 -------- d-----w- c:\program files\MahJong Suite
2010-10-06 10:59:04 1032192 ----a-w- c:\windows\system32\dllcache\explorer.exe
2010-10-06 10:59:04 1032192 ----a-w- c:\windows\explorer.exe

==================== Find3M ====================

2010-10-16 01:12:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 01:19:49 389120 ----a-w- c:\windows\system32\cmd.execf
2010-10-02 01:19:49 389120 ----a-w- c:\windows\system32\CF28932.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2005-07-17 06:54:01 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 14:32:06.59 ===============

Attached Files


Edited by Noviciate, 01 November 2010 - 03:51 PM.
Opened DDS log


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:46 AM

Posted 01 November 2010 - 03:55 PM

Good evening. :)

While we try to identify the problem will you stop AVG from taking action, if it prompts you for clearance, against either explorer.exe or winlogon.exe as both of these files could be infected and messing with either can have serious consequences for your system.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 lbowman

lbowman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 03 November 2010 - 09:34 AM

Ok. I'll do what you suggest but I'm not able to print the Combofix instructions right now. I'm working on this at a hospital while I'm waiting for my husband to be discharged. It may take a couple of days, but I'll be back :) Don't give up on me.
Thanks,
Laura

#4 lbowman

lbowman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 06 November 2010 - 06:30 PM

I'm back. I had already uninstalled AVG and am using Norton now, which I disabled before running Combofix. I followed all of the instructions. I never saw anything about the Recovery Console. Here is the log.

ComboFix 10-11-07.01 - User 11/06/2010 18:41:49.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.553 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))
.

2010-10-24 21:52 . 2010-10-24 21:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2010-10-24 21:52 . 2010-09-23 17:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2010-10-24 21:52 . 2010-10-12 16:55 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-10-24 21:52 . 2010-10-12 15:08 2233016 ----a-w- c:\windows\system32\Incinerator.dll
2010-10-24 21:51 . 2010-10-12 16:55 11776 ----a-w- c:\windows\system32\smrgdf.exe
2010-10-24 21:51 . 2010-10-12 16:55 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-10-24 21:51 . 2010-10-24 21:51 -------- d-----w- c:\program files\iolo
2010-10-24 21:46 . 2010-10-24 21:46 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-10-24 21:41 . 2010-11-05 23:49 -------- d-----w- c:\documents and settings\User\Application Data\iolo
2010-10-24 21:41 . 2010-10-25 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-10-24 02:48 . 2010-11-03 19:08 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-10-23 23:03 . 2010-10-23 23:03 -------- d-----w- c:\program files\iPod
2010-10-23 23:02 . 2010-10-23 23:06 -------- d-----w- c:\program files\iTunes
2010-10-23 23:02 . 2010-10-23 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-23 22:51 . 2010-10-23 22:51 -------- d-----w- c:\program files\Apple Software Update
2010-10-16 01:18 . 2010-10-16 01:18 -------- d-----w- c:\documents and settings\User\Application Data\Mobile Atlas Creator
2010-10-16 01:13 . 2010-10-16 01:12 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-16 01:13 . 2010-10-16 01:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-13 00:06 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:05 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 23:48 . 2010-10-12 23:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-12 23:48 . 2010-10-12 23:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-12 23:48 . 2010-10-13 02:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-12 23:48 . 2010-10-12 23:48 -------- d-----w- c:\program files\Symantec
2010-10-12 23:46 . 2010-10-20 20:43 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-12 23:46 . 2010-10-12 23:46 -------- d-----w- c:\program files\Windows Sidebar
2010-10-12 23:45 . 2010-10-12 23:46 -------- d-----w- c:\program files\Norton Internet Security
2010-10-12 23:45 . 2010-10-12 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-12 23:35 . 2010-10-12 23:35 -------- d-----w- c:\windows\Internet Logs
2010-10-12 23:20 . 2010-10-12 23:20 -------- d-----w- c:\program files\NortonInstaller
2010-10-12 12:16 . 2010-10-12 12:16 -------- d--h--w- c:\windows\PIF
2010-10-12 00:23 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\35384502.sys
2010-10-12 00:23 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\35384501.sys
2010-10-12 00:23 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3538450.sys
2010-10-11 01:58 . 2010-10-11 01:58 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AVG Security Toolbar
2010-10-11 01:43 . 2010-10-12 22:46 -------- d-----w- c:\documents and settings\User\Application Data\AVG10
2010-10-11 01:38 . 2010-10-11 01:38 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-11 01:32 . 2010-10-12 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-11 00:38 . 2010-10-11 00:38 -------- d-----w- C:\$AVG
2010-10-11 00:00 . 2010-10-11 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-09 01:23 . 2010-10-09 02:03 -------- d-----w- c:\documents and settings\User\Application Data\MahJong Suite
2010-10-09 01:23 . 2010-10-09 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\TreeCardGames
2010-10-09 01:22 . 2010-10-09 01:22 -------- d-----w- c:\program files\MahJong Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-16 01:12 . 2008-09-13 23:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 01:19 . 2010-10-02 01:27 389120 ----a-w- c:\windows\system32\CF28932.exe
2010-10-02 01:19 . 2010-10-02 01:19 389120 ----a-w- c:\windows\system32\cmd.execf
2010-09-18 16:23 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 20:27 . 2010-09-13 20:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-04 08:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 08:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 08:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 08:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-07 19:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 08:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-20 01:42 . 2010-08-20 01:42 30288 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2010-08-20 01:42 . 2010-08-20 01:42 123472 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2010-08-20 01:42 . 2010-08-20 01:42 26192 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2010-08-17 13:17 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 08:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2005-07-17 06:54 . 2005-07-17 06:54 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Desktop\EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-18 290816]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2010-06-08 316736]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2010-06-08 75072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-10 22:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 35384502;35384502 Boot Guard Driver;c:\windows\system32\drivers\35384502.sys [10/11/2010 8:23 PM 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/12/2009 9:51 PM 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [10/17/2010 8:36 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [10/17/2010 8:36 PM 173104]
R1 35384501;35384501;c:\windows\system32\drivers\35384501.sys [10/11/2010 8:23 PM 128016]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101029.001\BHDrvx86.sys [11/2/2010 2:10 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [10/17/2010 8:36 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [10/17/2010 8:36 PM 116784]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/24/2010 5:52 PM 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/24/2010 5:52 PM 724152]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [10/17/2010 8:35 PM 126392]
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [1/11/2010 2:10 PM 82944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/28/2010 6:55 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101103.001\IDSXpx86.sys [10/19/2010 4:36 PM 341880]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 8:04 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2009 8:33 PM 133104]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/4/2009 5:38 PM 25728]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 30288]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 1:28 PM 1357464]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/4/2010 1:52 PM 15008]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3F.tmp --> c:\windows\system32\3F.tmp [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [1/29/2006 1:50 AM 91841]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:09]

2010-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 00:33]

2010-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 00:33]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fiskmt1l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3F.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2200)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-06 18:59:22
ComboFix-quarantined-files.txt 2010-11-06 22:59
ComboFix2.txt 2010-11-06 22:26
ComboFix3.txt 2009-06-13 21:31

Pre-Run: 27,309,608,960 bytes free
Post-Run: 27,287,744,512 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F204FA9A434CA302488BE61C35B608AD

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:46 AM

Posted 07 November 2010 - 02:57 PM

Good evening. :)

The difficulty with speed issues is that it is hard to nail down the exact cause. The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:46 AM

Posted 16 November 2010 - 06:44 PM

As there has been no reply for a considerable amount of time this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users