Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

catchme rootkit/stealth malware win xp


  • This topic is locked This topic is locked
76 replies to this topic

#1 mbaker

mbaker

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 September 2012 - 05:30 PM

Hello
I'm running Windows XP sp3.
This morning, my computer had trouble. It booted but was unresponsive. I'm now running in "safe mode with networking". Because of that, my screen resolution is set very low, and so I cannot see the bottom portion of some windows. The bottom of GMER window is not viewable, so I was not able to save the GMER log.

GMER detected a problem. I have typed in the log information below:
Type: Code
Name: \??\C:\DOCUME~1\sjh\LOCALS~1\Temp\catchme.sys
Value: plofCallDriver

It looks like my computer is infected as shown:
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer

I have reviewed the guidelines shown on bleeping computer for what to do before submitting a help request.

My bleeping computer preferences are set to send me immediate notifications so I will be able to respond quickly.

Thanks for any help offered.

BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 30 September 2012 - 06:39 PM

Hi mbaker,

My forum name is Dev00790 and I'll be helping you clean up your computer.

I will reply as soon as possible (typically within 24 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.
Please be patient while I assist you.

Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us:

  • Please do NOT run, install or uninstall any programs, unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Edited by dev00790, 30 September 2012 - 06:39 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 September 2012 - 06:46 PM

Dev00790:

Thank You for helping me in this matter. I will monitor my email so that I may respond quickly to your posts. It's very kind of you to assist me.

mbaker

#4 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 September 2012 - 09:23 PM

Dev00790:
I have run DeFogger

After some tweaking since my first post, I have been able to run my Windows XP computer in normal mode instead of just in safe mode, so I can now save and post dds.txt, Attach.txt and GMER log.

I understand that I will not do any more tweaking or make any other changes without your instructions.

In this posting I have pasted the text from dds.txt, and have attached Attach.txt and the GMER log.

Also, it appears as though virus protection in my Microsoft Security Essentials install has been disabled, and it appears as though I am not able to re-enable it. The Microsoft Security Essentials window appears to have lost some menu functions as well.

Here is dds.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by sjh at 15:26:30 on 2012-09-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AutorunsDisabled - No File
BHO: AcroIEHelperStub - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\sjh\startm~1\programs\startup\autoru~1\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342252779703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342258909640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{2DCED01E-44E0-4E9E-8510-582E2767D4BE} : DhcpNameServer = 75.75.76.76 75.75.75.75
Filter: AutorunsDisabled\text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sjh\application data\mozilla\firefox\profiles\ixuulzli.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\sjh\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.hardId - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15535
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:14:23
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2012-7-14 11264]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-17 114144]
S4 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
=============== Created Last 30 ================
.
2012-09-30 18:45:04 -------- d-sha-r- C:\cmdcons
2012-09-30 18:43:13 98816 ----a-w- c:\windows\sed.exe
2012-09-30 18:43:13 518144 ----a-w- c:\windows\SWREG.exe
2012-09-30 18:43:13 256000 ----a-w- c:\windows\PEV.exe
2012-09-30 18:43:13 208896 ----a-w- c:\windows\MBR.exe
2012-09-30 18:32:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-30 18:32:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-30 18:00:36 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17d94e66-5143-472a-a79e-5b8c218aa349}\offreg.dll
2012-09-30 17:38:51 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17d94e66-5143-472a-a79e-5b8c218aa349}\mpengine.dll
2012-09-30 01:00:30 -------- d-----w- c:\program files\Media Player Classic
2012-09-29 03:19:41 -------- d-----w- c:\documents and settings\sjh\local settings\application data\MPlayer
2012-09-28 14:55:55 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-06 23:44:05 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-09-03 15:35:34 -------- d-----w- c:\documents and settings\sjh\local settings\application data\Temp
2012-09-03 05:44:04 -------- d-----w- c:\documents and settings\sjh\local settings\application data\Sun
2012-09-03 05:32:36 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 21:08:12 -------- d-----w- c:\documents and settings\sjh\application data\Malwarebytes
.
==================== Find3M ====================
.
2012-09-03 05:42:21 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-03 05:42:21 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-03 05:32:19 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-03 05:32:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-07-14 21:11:04 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:26:41.51 ===============

#5 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 01 October 2012 - 05:52 PM

Hi

While I am reviewing your logs, please do the following:

:step1:

You say that the computer gets unresponsive if trying to start in Normal mode.
- Please tell me in detail what happens when you try this?
- Do you get to the Windows splash screen - eg link without any problems?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#6 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 01 October 2012 - 07:24 PM

Quick Answer - Splash and started into Normal Mode now, after my original posting to bleeping computer in Safe Mode. Most recent start-up time was long and almost stalling, and with flickering monitors. Computer is more responsive, I'm able to launch applications in normal mode. Detailed information below.


The following all occurred before I posted on bleepingcomputer for expert assistance:

I started my computer on the morning on Sept 30 2012.

It splashed and started into Windows after about 10 minutes (normal = 1 minute), but no applications would launch although the timer cursor suggested that they were trying to launch. At that same time, I noticed that the system tray icon for Microsoft Security Essentials had become red. Further investigation showed that the Microsoft Security Essentials virus protection has been disabled, and I cannot re-enable it.

After trouble-shooting the computer all morning, I finally re-started in Safe Mode With Networking. That worked to get me some control over the system. Using an application called "autoruns", I dis-allowed many items from starting at boot up. While still in Safe Mode, I scanned with ComboFix but did not make any changes based on the results. Combo fix did report that it deleted about 5 files, I'm sorry that I don't know what they were. ComboFix reported that a rootkit/stealth malware had been detected by GMER. I didn't make any changes based on this information because I'm not qualified. I also ran MalwareBytes, which had no detections.

Still in Safe Mode, and using a utility called "RevoUninstaller, I removed VLC, UMplayer, and a recently downloaded codec package for Windows Media Player. I had been trying to watch a Netflix DVD the night before, and VLC kept crashing before the movie (The Avengers - new DRM?) would start to play. That's why I had been fooling around with alternate DVD players. I did keep Media Player Classic, but deleted some recommended add-ons for it. I know that this sounds like terribly irresponsible usage.

After posting on bleepingcomputer:

So after doing all of the above, and while still in Safe Mode, I made a posting on bleepingcomputer. One of the requested preparations on bleepingcomputer was to download and run GMER before posting. I did this but could not do it correctly because the bottom of the GMER window was off the bottom of my screen (due to coarse screen resolution in Safe Mode). So after doing everything else that I could think of, I restarted and allowed the computer to start into Normal Mode. It did start into Normal Mode although it took about 5 minutes to do so (start up usually = 1 minute), and I am now able to launch applications. I have now run Defogger, dds, and GMER as directed on bleepingcomputer.

Additional note:

I had a rootkit infection on this computer about 2 years ago, and got it cleaned up with assistance from bleepingcomputer (thanks again). About 2 months ago, I ran into start-up problems again so I went ahead and re-installed the operating system from disk (legally owned Windows XP). The re-install was troublesome and failed twice before it worked. The system didn't seem right and I wonder if elements of the previous rootkit were not deleted by the re-install, although I did the re-install with new formatting. I lack expertise in this area.

So that's where I am now:
I have not shut down the computer nor have I made any changes since the re-start into Normal Mode. Microsoft Security Essentials is still disabled and cannot be re-enabled (very suspicious to me). Other than that, I seem to have nearly complete, although slow, functionality at this time. I hesitate to shut-down and re-start for fear that the computer will not re-start in normal mode. My important data are backed-up.

I want to tell you how much I appreciate your help. I know I ought to have a second computer for times like this, and that is certainly something I will look into. Right now, I depend on this computer every day. Thank You again for helping me.

Sorry for the wall of text...

mbaker

Edited by mbaker, 01 October 2012 - 07:25 PM.


#7 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 03 October 2012 - 03:50 PM

Hi

Thank you for the information.

Since you have run Combofix, do you have a file called combofix.txt in your C:\ drive?
- If yes, then please post the full contents of the file in your next reply.
- If no, then please let us know.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#8 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 03 October 2012 - 06:02 PM

Hello dev00790

Thanks for your response.
Here's the contents of the combofix.txt file:


ComboFix 12-09-30.01 - sjh 09/30/2012 22:26:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1497 [GMT -4:00]
Running from: c:\documents and settings\sjh\Desktop\new downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-01 to 2012-10-01 )))))))))))))))))))))))))))))))
.
.
2012-09-30 18:32 . 2012-09-30 18:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-30 18:32 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-30 17:38 . 2012-08-30 08:17 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17D94E66-5143-472A-A79E-5B8C218AA349}\mpengine.dll
2012-09-30 01:04 . 2012-09-30 01:04 -------- d-----w- c:\documents and settings\sjh\Application Data\Media Player Classic
2012-09-30 01:00 . 2012-09-30 01:02 -------- d-----w- c:\program files\Media Player Classic
2012-09-30 00:00 . 2012-09-30 00:04 -------- d-----w- c:\documents and settings\sjh\Application Data\dvdcss
2012-09-29 03:19 . 2012-09-29 03:19 -------- d-----w- c:\documents and settings\sjh\Local Settings\Application Data\MPlayer
2012-09-28 14:55 . 2012-08-30 08:17 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-06 23:44 . 2012-09-06 23:44 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-09-03 15:35 . 2012-09-03 15:35 -------- d-----w- c:\documents and settings\sjh\Local Settings\Application Data\Temp
2012-09-03 05:44 . 2012-09-03 05:44 -------- d-----w- c:\documents and settings\sjh\Local Settings\Application Data\Sun
2012-09-03 05:40 . 2012-09-03 05:40 -------- d-----w- c:\program files\Common Files\Adobe
2012-09-03 05:32 . 2012-09-03 05:32 -------- d-----w- c:\program files\Common Files\Java
2012-09-03 05:32 . 2012-09-03 05:32 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-03 05:31 . 2012-09-03 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-09-01 21:08 . 2012-09-01 21:08 -------- d-----w- c:\documents and settings\sjh\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-03 05:42 . 2012-07-14 21:01 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-03 05:42 . 2012-07-14 21:01 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-03 05:32 . 2012-07-14 21:11 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-03 05:32 . 2012-07-14 21:11 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-28 15:14 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-07-14 21:11 . 2012-07-14 21:11 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-06 13:58 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2012-07-14 06:22 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2006-02-28 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-09-06 23:44 . 2012-07-14 07:03 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
.
c:\documents and settings\sjh\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/30/2012 2:32 PM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/30/2012 2:32 PM 676936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/30/2012 2:32 PM 22856]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/17/2012 8:37 PM 114144]
S4 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSCHEDULER
*NewlyCreated* - MBAMSERVICE
*NewlyCreated* - WS2IFSL
*Deregistered* - uftdypoc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-07-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-07-14 02:16]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1614895754-725345543-1004Core.job
- c:\documents and settings\sjh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-14 21:09]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1614895754-725345543-1004UA.job
- c:\documents and settings\sjh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-14 21:09]
.
2012-09-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-09-30 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\sjh\Application Data\Mozilla\Firefox\Profiles\ixuulzli.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.hardId - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15535
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:14
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-30 22:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-30 22:33:54
ComboFix-quarantined-files.txt 2012-10-01 02:33
ComboFix2.txt 2012-09-30 18:51
.
Pre-Run: 40,851,992,576 bytes free
Post-Run: 40,836,820,992 bytes free
.
- - End Of File - - 7D29332111A70B65B5987F709D4A2E39

#9 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 05 October 2012 - 03:58 PM

Hi

That Combofix log is clean.

However there are some things that need to be addressed.
Please do the following next:

:step1:

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the Posted Image button
  • Click My Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open the log:

  • Click the Posted Image button
  • Click Run.
  • Type "eventvwr" without the quotes and press the <ENTER> key.
  • The Event Viewer window will open.
  • In the left pane, expand "Event Viewer (local)" then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Click on that Winlogon entry to select it.
  • In the box below "Description", Copy all of the contents.
  • Paste the contents into your next reply.


:step2:

How is the computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#10 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 05 October 2012 - 09:48 PM

dev00790:

Thanks for your response.

Below is pasted the contents of tonight's Winlogon information
log file after running Windows Error Checking utility.


How is my computer running now?

After running Windows Error Checking Utility, I turned my
computer off for 5 minutes.
- When re-started, boot time seems normal, splash screen
irregularities and extended boot time seem to be fixed.
- After re-start, I was able to turn on real-time protection in
Microsoft Security Essentials (not able to do so since last
weekend when trouble started). It was off (system tray icon =
red) upon system re-start, but I was able to manually start
it.
- I uninstalled Malwarebytes thinking that it may be
interfering with Microsoft Security Essentials. The
Malwarebytes version that I was running was a new trial
version that included real-time protection.
- After un-installing Malwarebytes, I restarted my computer
and found that Microsoft Security Essentials was off again
(red), then came on by itself after 30 seconds. This behavior
is a change compared to before my troubles started last
weekend, but it's working.


Application launch seems very sluggish. I don't know what to
think of this.

Again, thanks for helping me out. I hope that I'm not wasting
your time with false concerns on my part. I don't know what
happend to my system, but something happened.

mbaker


Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 10/5/2012
Time: 8:31:55 PM
User: N/A
Computer: MBAKER
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 91 unused index entries from index $SII of file 0x9.
Cleaning up 91 unused index entries from index $SDH of file 0x9.
Cleaning up 91 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

78140128 KB total disk space.
38272296 KB in 54232 files.
16640 KB in 5737 indexes.
0 KB in bad sectors.
133364 KB in use by the system.
65536 KB occupied by the log file.
39717828 KB available on disk.

4096 bytes in each allocation unit.
19535032 total allocation units on disk.
9929457 allocation units available on disk.

Internal Info:
70 f9 00 00 4c ea 00 00 b4 32 01 00 00 00 00 00 p...L....2......
f4 00 00 00 02 00 00 00 d3 05 00 00 00 00 00 00 ................
7a b3 7b 0b 00 00 00 00 a6 b3 d3 36 00 00 00 00 z.{........6....
58 55 1f 15 00 00 00 00 ce e9 92 0f 19 00 00 00 XU..............
12 14 f6 36 02 00 00 00 f6 4b a7 af 1b 00 00 00 ...6.....K......
99 9e 36 00 00 00 00 00 10 3d 07 00 d8 d3 00 00 ..6......=......
00 00 00 00 00 a0 f4 1f 09 00 00 00 69 16 00 00 ............i...

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#11 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 07 October 2012 - 05:54 AM

Hi

I think a defrag and removing eg temporary files would help the performance of computer.
However firstly I would like you to do the following:

:step1:
Going over your logs I noticed that you have utorrent installed.
  • Avoid peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • P2p programs share a directory or set of directories on your computer to the world. Anyone can type in a search, and potentially download something from your computer. This makes the machine an open web server -- massively increasing the attack surface of the machine.
  • To reduce the risk of infection avoid using any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall utorrent, however that choice is up to you.

If you choose to remove these programs, you can do so via:

  • Click the Posted Image button.
  • Click Control Panel then Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

:step2:

I see you have babylon toolbar installed.

Categories:

adware

Description:

Babylon Toolbar is a useless toolbar that gets installed by other software, for instance FoxTab Videoconverter. Legal age for installation is 18 while this fact is only mentioned in the terms.
Babylon Toolbar installs itself to the system, the Internet Explorer, Firefox and Google Chrome. The Babylon.Toolbar is almost identical to Toolbar.Facemood.

link
We advise that this be removed. If you want to do this, then please do so via: start > control panel > add/remove programs > then remove any program that contains babylon toolbar.

:step3:

Please rerun DDS, and post the full contents of DDS.txt, and attach.txt (minimised) in your next reply.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#12 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 07 October 2012 - 07:51 PM

Hello Dev00790
Thanks for responding.

Thanks for warning me about utorrent. I have only ever used it once,
and that was to download a live disc image of Linux Mint that I wanted
for an emergency bootable operating system. I'll take your advice
and get rid of it.

As for Babylon Toolbar, I'm quite distressed to find that still on
my system. I have uninstalled it, but it still shows up in Firefox
about:config. If I modify or reset the about:config babylon entries
in Firefox, they are re-generated next time Firefox is restarted.
I cannot find a way to get rid of these babylon remnants. Do you
know how I can get rid of them?

(see attached screen cap = babylon about config screen cap.png)
(see attached file = attach 2.txt)
dds.txt copy/pasted below:

Thanks again for your help, I wouldn't know what else to do.

mbaker

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by sjh at 20:00:20 on 2012-10-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1278 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AutorunsDisabled - No File
BHO: AcroIEHelperStub - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\sjh\startm~1\programs\startup\autoru~1\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342252779703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342258909640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{2DCED01E-44E0-4E9E-8510-582E2767D4BE} : DhcpNameServer = 75.75.76.76 75.75.75.75
Filter: AutorunsDisabled\text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sjh\application data\mozilla\firefox\profiles\ixuulzli.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\sjh\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.hardId - 20703138000000000000001617ee22e3
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15535
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:14:23
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 193552]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2012-7-14 11264]
R1 MpKslee2c7a87;MpKslee2c7a87;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{295e35cb-da35-4994-92e7-683b50ef6905}\MpKslee2c7a87.sys [2012-10-7 29904]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-17 114144]
S4 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
=============== Created Last 30 ================
.
2012-10-07 23:24:28 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{295e35cb-da35-4994-92e7-683b50ef6905}\MpKslee2c7a87.sys
2012-10-07 23:06:24 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{295e35cb-da35-4994-92e7-683b50ef6905}\mpengine.dll
2012-10-06 01:29:37 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-30 18:45:04 -------- d-sha-r- C:\cmdcons
2012-09-30 18:43:13 98816 ----a-w- c:\windows\sed.exe
2012-09-30 18:43:13 518144 ----a-w- c:\windows\SWREG.exe
2012-09-30 18:43:13 256000 ----a-w- c:\windows\PEV.exe
2012-09-30 18:43:13 208896 ----a-w- c:\windows\MBR.exe
2012-09-30 01:00:30 -------- d-----w- c:\program files\Media Player Classic
2012-09-29 03:19:41 -------- d-----w- c:\documents and settings\sjh\local settings\application data\MPlayer
.
==================== Find3M ====================
.
2012-09-03 05:42:21 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-03 05:42:21 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-03 05:32:23 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-03 05:32:19 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-03 05:32:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-07-14 21:11:04 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
.
============= FINISH: 20:00:33.95 ===============

#13 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 07 October 2012 - 09:01 PM

Hi dev00790

This is in addition to my repy above.
This post is about my search for how to get rid of the babylon entries in Firefox
about:config, even though I have uninstalled babylon toolbar. I found a possible
solution but have not made any changes. Please see below:



On this site: http://forums.mozillazine.org/viewtopic.php?t=2405087&f=38
I found these instructions for getting rid of the babylon entries in Firefox
about:config

===================================================================================

> Menu > Help > Troubleshooting Info > click Open Containing Folder.
- Close Firefox.
- Open the pref.js file using a text editor and get rid of those entries.
- Also make sure you don't have a user.js file, if you do open that up and look
for those entries.

===================================================================================

I looked in those files (pref.js and user.js) and found the babylon files shown in
Firefox about:config when searching "babylon".

I didn't make any changes though. Do you think I ought to?


Thanks again

mbaker

#14 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:30 PM

Posted 10 October 2012 - 01:30 PM

Hi,

Please do the following next:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    Firefox::
    FF - ProfilePath - c:\documents and settings\sjh\application data\mozilla\firefox\profiles\ixuulzli.default\
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.id - 20703138000000000000001617ee22e3
    FF - user.js: extensions.BabylonToolbar_i.hardId - 20703138000000000000001617ee22e3
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15535
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:14:23
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    
    
  • Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#15 mbaker

mbaker
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 10 October 2012 - 06:53 PM

Hello dev00790

Thanks again for helping me with this.

After running that script in ComboFix, there are no more babylon entries in Firefox > about:config
Thanks so much...

mbaker


Here's the contents of ComboFix.txt:


ComboFix 12-09-30.01 - sjh 10/10/2012 19:25:36.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -4:00]
Running from: c:\documents and settings\sjh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sjh\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-10 to 2012-10-10 )))))))))))))))))))))))))))))))
.
.
2012-10-10 13:02 . 2012-08-30 08:17 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB6ADCAC-ADC0-45D5-A796-82F13E31B38E}\mpengine.dll
2012-10-10 12:54 . 2012-10-10 12:54 -------- d-----w- c:\windows\LastGood
2012-10-09 12:47 . 2012-08-30 08:17 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-30 01:04 . 2012-09-30 01:04 -------- d-----w- c:\documents and settings\sjh\Application Data\Media Player Classic
2012-09-30 01:00 . 2012-09-30 01:02 -------- d-----w- c:\program files\Media Player Classic
2012-09-30 00:00 . 2012-10-07 23:33 -------- d-----w- c:\documents and settings\sjh\Application Data\dvdcss
2012-09-29 03:19 . 2012-09-29 03:19 -------- d-----w- c:\documents and settings\sjh\Local Settings\Application Data\MPlayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-03 05:42 . 2012-07-14 21:01 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-03 05:42 . 2012-07-14 21:01 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-03 05:32 . 2012-09-03 05:32 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-03 05:32 . 2012-07-14 21:11 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-03 05:32 . 2012-07-14 21:11 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-31 02:03 . 2012-03-21 00:44 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-07-14 21:11 . 2012-07-14 21:11 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-06 23:44 . 2012-07-14 07:03 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
c:\documents and settings\sjh\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/17/2012 8:37 PM 114144]
S4 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-07-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-07-14 02:16]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1614895754-725345543-1004Core.job
- c:\documents and settings\sjh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-14 21:09]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1614895754-725345543-1004UA.job
- c:\documents and settings\sjh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-14 21:09]
.
2012-10-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2012-10-10 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\sjh\Application Data\Mozilla\Firefox\Profiles\ixuulzli.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-10 19:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2668)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-10 19:33:43
ComboFix-quarantined-files.txt 2012-10-10 23:33
ComboFix2.txt 2012-10-01 02:33
ComboFix3.txt 2012-09-30 18:51
.
Pre-Run: 40,237,072,384 bytes free
Post-Run: 40,224,243,712 bytes free
.
- - End Of File - - 7BCE1A4970C5F17C6CE24CCC50334139




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users