Firefox Redirect virus [Solved] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Firefox Redirect virus [Solved]

#1 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 01:57 PM

I have been having problems for 5days, when I enter a direct URL the browser works fine, though when I search and then select from the list provided I get redirected to ads including search312 and search123.

I use Avast free adition, Malawarebytes, Spybot Search & Destroy and CCleaner. These have fixed a few issues such as Automatically opening an ad in Explorer when I search in Firefox, though the redirect is still a problem and I am not sure if anything else I am unaware of has come with this.
Any help is greatly appreciated.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:53 AM, on 11/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\wamp\bin\apache\apache2.0.63\bin\Apache.exe
C:\wamp\bin\apache\apache2.0.63\bin\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\System Edit\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SQplus - {CCF078EE-B071-4C40-9E57-F7B5962E8C95} - C:\Program Files\SeoQuake\SQplus.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: SeoQuake - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\SeoQuake.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Meebo Notifier] "C:\Documents and Settings\System Edit\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" /startup
O4 - HKUS\S-1-5-21-2000478354-73586283-682003330-1006\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Chris')
O4 - HKUS\S-1-5-21-2000478354-73586283-682003330-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Chris')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Outlook Plugin.lnk = C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.line6.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QoS RSVP RSVPCOMSysApp (RSVPCOMSysApp) - Unknown owner - C:\WINDOWS\system32\advpack.dllk.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.0.63\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 11958 bytes

#2 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 02:05 PM

Posted Image


DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.


If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.




Please do not delete anything unless instructed to.


We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache


Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs


  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

#3 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 03:31 PM

Thanks ldtate for your quick response,

I went through all advice above.

When I ran ComboFix.exe, after install recovery console was complete
it crash PC about 2 mins into scan, PC restarted automatically though could not normal restart windows, had to restart to last known secure settings.

I ran ComboFix.exe again and was prompted to install latest version, which I did.
It backed up registry, created systems restore point and shutdown computer again about 2 mins into scan.

This time computer restarted windows automatically, I ran ComboFix.exe again and came out with the followiing log.





ComboFix 10-04-10.02 - System Edit 11/04/2010 6:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.622 [GMT 9.5:30]
Running from: c:\documents and settings\System Edit\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\1144953431.dat
c:\windows\system32\spool\prtprocs\w32x86\00000a29.tmp
c:\windows\system32\spool\prtprocs\w32x86\00006a5f.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RSVPCOMSYSAPP
-------\Service_RSVPCOMSysApp


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 19:53 . 2010-04-10 19:53 -------- d-----w- c:\program files\Trend Micro
2010-04-10 19:31 . 2010-04-10 19:31 -------- d-----w- c:\program files\TrendMicro
2010-04-09 22:28 . 2010-04-10 04:36 69 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2010-04-09 22:28 . 2010-04-09 22:28 0 ----a-w- c:\documents and settings\Owner\jagex__preferences3.dat
2010-04-09 22:26 . 2010-04-10 04:40 41 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2010-04-09 22:26 . 2010-04-09 22:26 -------- d-----w- c:\documents and settings\Owner\.jagex_cache_32
2010-04-08 23:15 . 2010-04-09 03:46 69 ----a-w- c:\documents and settings\Chris\jagex_runescape_preferences2.dat
2010-04-08 23:15 . 2010-04-08 23:15 0 ----a-w- c:\documents and settings\Chris\jagex__preferences3.dat
2010-04-08 23:12 . 2010-04-09 03:46 41 ----a-w- c:\documents and settings\Chris\jagex_runescape_preferences.dat
2010-04-08 23:12 . 2010-04-08 23:12 -------- d-----w- c:\documents and settings\Chris\.jagex_cache_32
2010-04-08 19:07 . 2010-04-10 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-04-08 05:42 . 2010-04-08 05:42 -------- d-----w- c:\documents and settings\Boys\.jagex_cache_32
2010-04-08 03:31 . 2010-04-10 10:29 69 ----a-w- c:\documents and settings\Boys\jagex_runescape_preferences2.dat
2010-04-08 03:31 . 2010-04-08 03:31 0 ----a-w- c:\documents and settings\Boys\jagex__preferences3.dat
2010-04-08 03:29 . 2010-04-10 10:14 41 ----a-w- c:\documents and settings\Boys\jagex_runescape_preferences.dat
2010-04-08 03:28 . 2010-04-09 00:19 -------- d-----w- C:\.jagex_cache_32
2010-04-08 02:33 . 2010-04-08 02:33 -------- d-sh--w- c:\documents and settings\Boys\PrivacIE
2010-04-08 01:07 . 2010-04-08 02:25 -------- d-----w- c:\documents and settings\Boys\Local Settings\Application Data\WMTools Downloaded Files
2010-04-08 00:59 . 2010-04-08 00:59 89216 ----a-w- c:\documents and settings\Boys\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 00:52 . 2010-04-08 00:52 -------- d-----w- c:\documents and settings\Boys\Application Data\FUJIFILM
2010-04-08 00:52 . 2001-08-17 04:26 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-04-08 00:52 . 2001-08-17 04:26 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-04-06 04:20 . 2010-04-06 04:20 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-05 09:46 . 2010-04-05 09:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 03:01 . 2010-04-05 03:01 -------- d-----w- c:\documents and settings\Chris\Application Data\The Creative Assembly
2010-04-05 03:01 . 2010-04-05 03:01 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield Installation Information
2010-03-20 12:05 . 2010-03-24 22:50 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\CutePDF Writer
2010-03-20 12:03 . 2010-03-20 12:03 -------- d-----w- c:\program files\GPLGS
2010-03-20 12:01 . 2009-11-04 22:09 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-03-20 12:01 . 2010-03-20 12:01 -------- d-----w- c:\program files\Acro Software
2010-03-15 08:27 . 2010-03-15 08:27 -------- d-----w- c:\documents and settings\Boys\Local Settings\Application Data\Mozilla
2010-03-14 06:35 . 2010-03-14 06:35 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Ahead
2010-03-13 01:24 . 2010-03-13 01:24 -------- d-----w- c:\documents and settings\Chris\Application Data\HpUpdate
2010-03-12 06:34 . 2010-04-03 07:38 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 19:31 . 2010-04-10 19:31 388096 ----a-r- c:\documents and settings\System Edit\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-10 04:48 . 2008-10-27 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-09 03:44 . 2010-04-09 00:23 826368 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\.jagex_cache_32\runescape\sw3d.dll
2010-04-09 03:44 . 2010-04-09 00:23 49152 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\.jagex_cache_32\runescape\jagmisc.dll
2010-04-07 19:55 . 2008-10-27 04:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 08:30 . 2010-04-06 08:30 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-01 15:56 . 2010-04-08 19:07 98304 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\nssdbm3.dll
2010-04-01 15:56 . 2010-04-08 19:07 249856 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\freebl3.dll
2010-04-01 15:56 . 2010-04-08 19:07 155648 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\softokn3.dll
2010-03-26 09:59 . 2010-02-27 22:16 -------- d-----w- c:\documents and settings\Chris\Application Data\gtk-2.0
2010-03-25 20:52 . 2010-02-24 03:31 -------- d-----w- c:\program files\XMind
2010-03-09 11:24 . 2008-10-27 04:12 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2008-10-27 04:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2008-10-27 04:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2008-10-27 04:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2008-10-27 04:12 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2008-10-27 04:12 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2008-10-27 04:12 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2008-10-27 04:12 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-08 04:30 . 2010-03-08 04:30 -------- d-----w- c:\documents and settings\Chris\Application Data\InterVideo
2010-03-07 11:03 . 2010-03-07 11:03 -------- d-----w- c:\documents and settings\Chris\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-03-07 11:03 . 2010-03-07 11:03 -------- d-----w- c:\program files\TweetDeck
2010-03-07 11:03 . 2009-07-25 23:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-07 11:01 . 2010-03-11 09:27 38784 ----a-w- c:\documents and settings\Boys\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-07 11:01 . 2010-03-07 11:03 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-03 22:36 . 2010-03-03 22:36 32768 ----a-w- c:\documents and settings\Chris\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\63\1\.cp\os\win32\x86\localfile_1_0_0.dll
2010-03-03 20:05 . 2010-03-03 20:05 -------- d-----w- c:\documents and settings\Chris\Application Data\AdobeUM
2010-03-02 23:38 . 2010-02-26 08:27 -------- d-----w- c:\program files\Google
2010-03-02 09:49 . 2010-03-02 09:49 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2010-02-28 02:31 . 2008-10-27 04:11 -------- d-----w- c:\program files\Alwil Software
2010-02-28 02:29 . 2010-02-28 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-26 08:28 . 2010-02-26 08:28 -------- d-----w- c:\documents and settings\System Edit\Application Data\Meebo
2010-02-26 01:11 . 2010-02-26 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2010-02-26 01:10 . 2010-02-26 01:10 -------- d-----w- c:\program files\Siber Systems
2010-02-25 23:40 . 2010-02-25 23:40 -------- d-----w- c:\documents and settings\Chris\Application Data\Talkback
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 01:24 . 2007-08-13 08:24 11070976 ----a-w- c:\windows\system32\ieframe(2).dll
2010-02-24 03:43 . 2010-02-24 03:43 89216 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 03:43 . 2010-02-24 03:43 77824 ----a-w- c:\documents and settings\Chris\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll
2010-02-24 03:43 . 2010-02-24 03:43 348160 ----a-w- c:\documents and settings\Chris\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll
2010-02-24 03:43 . 2010-02-24 03:43 -------- d-----w- c:\documents and settings\Chris\Application Data\XMind
2010-02-24 03:41 . 2010-02-24 03:41 -------- d-----w- c:\program files\CamStudio
2010-02-24 03:39 . 2010-02-24 03:39 -------- d-----w- c:\documents and settings\Chris\Application Data\Notepad++
2010-02-24 03:38 . 2010-02-24 03:38 -------- d-----w- c:\program files\Lame for Audacity
2010-02-24 03:32 . 2010-02-24 03:32 -------- d-----w- c:\documents and settings\System Edit\Application Data\XMind
2010-02-24 03:32 . 2010-02-24 03:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 03:32 . 2008-10-27 01:56 -------- d-----w- c:\program files\Java
2010-02-24 03:32 . 2010-02-24 03:32 152576 ----a-w- c:\documents and settings\System Edit\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-24 00:09 . 2010-02-24 00:09 -------- d-----w- c:\documents and settings\Chris\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2010-02-11 18:53 . 2008-10-27 04:12 38848 ----a-w- c:\windows\system32\avastSS.scr
2004-03-11 02:57 . 2008-12-14 07:39 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-26 160328]
"Meebo Notifier"="c:\documents and settings\System Edit\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe" [2010-03-02 798720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-13 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-20 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-27 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-24 149280]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" [2005-04-11 729088]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\System Edit\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-4-11 1994752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-12-25 303104]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-31 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-31 51984]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2009-5-13 888987]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/10/2008 1:42 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/10/2008 1:42 PM 19024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [23/12/2008 9:33 PM 33792]
S3 L6TPortGX;Service - Line 6 TonePort GX;c:\windows\system32\drivers\L6TPortGX.sys [19/11/2009 12:39 PM 609280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: line6.net
FF - ProfilePath - c:\documents and settings\System Edit\Application Data\Mozilla\Firefox\Profiles\abq4w74i.default\
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - c:\program files\NOS\bin\getPlus_HelperSvc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 06:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?2?8?3??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86F8A8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e5f28
\Driver\ACPI -> ACPI.sys @ 0xf7558cb8
\Driver\atapi -> atapi.sys @ 0xf74cfb3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf73d8bb0
PacketIndicateHandler -> NDIS.sys @ 0xf73c7a0d
SendHandler -> NDIS.sys @ 0xf73dbb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\wamp\bin\apache\apache2.0.63\bin\Apache.exe
c:\wamp\bin\apache\apache2.0.63\bin\Apache.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2010-04-11 06:34:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 21:04

Pre-Run: 80,742,293,504 bytes free
Post-Run: 80,645,226,496 bytes free

- - End Of File - - 909AE67BEA6A9242BEBF536306B39E5C

#4 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 03:49 PM

I have also been having a problem when i click on a google search for wikipedia for example I get "problem loading page: File not found page"

This is in the address bar:

jar:file:///C:/Program%20Files/Mozilla%20Firefox/chrome/en-GB.jar!/locale/browser-region/region.propertiesen.wikipedia.org

This is an intermitent problem.

#5 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 03:53 PM

To empty the cache in firefox
1. click on tools > options
2. click on the Privacy button on the left side of the window
3. click the "Clear All" button to clear all cached items or select individual items to clear by clicking on individual "Clear" buttons (History, Saved Information, Saved Passwords, Download Manager History, Cookies, Cache)

Let me know how it's running.

#6 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 04:07 PM

Google Search: microphone recording techniques
www.tape.com/resource/mics.html

Copied link location:
http://www.google.com.au/url?sa=t&sour...yHhGH7pCjGfFBhg

Destination when I clicked trough from google:
http://www.ozpartyhi...om.au/audio.htm


When I put www.tape.com/resource/mics.html in the address bar it went to the correct page

#7 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 04:09 PM

Did you empty the cache in firefox

#8 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 04:12 PM

Google Search: firefox redirect virus
www.computing.net › Forums › Security and Virus

Copied link location:
http://www.google.com.au/url?q=http://www....9eXXCgH1VcdEEVg

Destination:
http://www.stopzilla.com/products/stopzill...72&cid=1004

(this stopzilla one comes up a lot)

When I Put "www.computing.net › Forums › Security and Virus" in the address bar it went to http://www.computing...security/1.html

#9 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 04:14 PM

Lets backup a minute.
Other than the FF issue is everything else running ok, including Internet Explorer?

#10 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 04:36 PM

I followed instuctions to empty cache in firefox:

I am only offered the two options below

Tools > OPtions > Privacy

History
firefox will: ......

1.clear your recent history I cleared everything
2.remove individual cookies. I Removed all cookies


"lets back this up..."

The browsers seem to be working fine.

I just tried IE

bing search: runscape

http://www.bing.com/search?q=runescape

Redirect:

http://12605.60729.filter.ezanga.com/check...rident%2F4.0%29

to page:

http://www.buddytv.com/home7/americas-next...odel-home7.aspx

Then I got an Avast notifiation from my systems tray:

Object: http://prof-argent.com/
infection: HTML: IFrame-ms [Trj]
Action: Connection Abort
Process: c:\program files\internet explorer\ieexplore.exe

#11 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 04:42 PM

So IE is working OK and only FF is the issue?

#12 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 04:46 PM

The bing search i just posted was using IE

#13 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 10 April 2010 - 04:48 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.


Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

#14 DevineRecords

  • Group: Member
  • Posts: 14
  • Joined: 10-April 10

Posted 10 April 2010 - 10:09 PM

sry, it took 3hrs to comlete scan:



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 13:37:13
Windows 5.1.2600 Service Pack 3
Running: 8m5bwsw2.exe; Driver: C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\kwxyifod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDA45C56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDA45B12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEDA460C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDA45FF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEDA456E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDA45BEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEDA45628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEDA4568C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDA45D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEDA46194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDA45CCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDA45E4C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEDA524FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEDA52322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEDA5245C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 247C 80501CB4 4 Bytes CALL 713DC10F
PAGE ntkrnlpa.exe!ZwLoadDriver 80579608 7 Bytes JMP EDA52460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A076A 7 Bytes JMP EDA52326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CEE 5 Bytes JMP EDA4E4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B66 5 Bytes JMP EDA4F972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP EDA52502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74DC780]
? Combo-Fix.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF67A38BF]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF66A8F80]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 [F74CFB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74CFB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74CFB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Chris\Desktop\Mem Stik z\2_Products\Course- Websites\PkgB-18-Instant Email Pop Up Generator-Joint Venture List Building 2004-EasyAudioGenerator-and Joint Venture Marketing Tactics 2004\instantemailpop\Instant Email Pop Up Generator\help.htm 2333 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#15 ldtate

  • Group: Expert
  • Posts: 1,874
  • Joined: 06-March 05

Posted 11 April 2010 - 06:07 AM

1. Go HERE and download FileLister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.

Posted Image
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

Share this topic:


  • 2 Pages +
  • 1
  • 2