Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus? denying access to security websites and redirecting

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virus? denying access to security websites and redirecti

Unread postby Airscape » June 12th, 2010, 8:45 pm

Hi,

I would like you to uninstall all McAfee products since you have Norton now, then please see if you can get ComboFix to run.



Uninstall programs
Click Start > Control Panel > Add/Remove Programs
Click on the Programs listed below in red.
Click Remove etc...
(Don't worry if any are missing)

McAfee Security Scan
McAfee SecurityCenter
Any other McAfee products


Reboot (Restart) the computer

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix
Download ComboFix from one of these locations (Delete any previous versions, this is a new one I need you to download.)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe ---- use Internet Explorer for this link -> right click and select "save target as"


**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm
Advertisement
Register to Remove

Re: Virus? denying access to security websites and redirecti

Unread postby JohnnyB » June 15th, 2010, 10:42 pm

Hi Airscape:

I removed the McAfee products as you asked and ran ComboFix. Here is the ComboFix log.

Thanks for your help,
John


ComboFix 10-06-15.02 - Johnny Pants 06/15/2010 20:22:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.637 [GMT -5:00]
Running from: c:\documents and settings\Johnny Pants\My Documents\downloads\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Johnny Pants\Application Data\02000000fb1167da922C.manifest
c:\documents and settings\Johnny Pants\Application Data\02000000fb1167da922O.manifest
c:\documents and settings\Johnny Pants\Application Data\02000000fb1167da922P.manifest
c:\documents and settings\Johnny Pants\Application Data\02000000fb1167da922S.manifest
c:\documents and settings\Johnny Pants\Application Data\F8F2912351F573255102639909F0D8AF
c:\documents and settings\Johnny Pants\Application Data\F8F2912351F573255102639909F0D8AF\enemies-names.txt
c:\documents and settings\Johnny Pants\Application Data\F8F2912351F573255102639909F0D8AF\local.ini
c:\documents and settings\Johnny Pants\Application Data\Sky-Banners
c:\documents and settings\Johnny Pants\Application Data\Sky-Banners\skb\log.xml
c:\documents and settings\Johnny Pants\Application Data\Street-Ads
c:\documents and settings\LocalService\Application Data\Sky-Banners
c:\documents and settings\LocalService\Application Data\Sky-Banners\skb\log.xml
c:\progra~1\COMMON~1\{307FF~1
c:\progra~1\COMMON~1\{707FF~1
c:\program files\Common Files\qmoz
c:\program files\Common Files\qmoz\qmoza.lck
c:\program files\Common Files\qmoz\qmozd\class-barrel
c:\program files\Common Files\qmoz\qmozd\vocabulary
c:\program files\Common Files\qmoz\qmozh
c:\program files\Common Files\qmoz\qmozl.lck
c:\program files\Common Files\qmoz\qmozm.lck
C:\Thumbs.db
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\Thumbs.db
c:\windows\system32\wnstssu.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-10 12:13 . 2010-06-10 12:13 -------- d-----w- C:\N360_BACKUP
2010-06-10 12:04 . 2010-06-10 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-10 12:04 . 2010-06-10 12:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 12:04 . 2010-06-10 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-10 12:04 . 2010-06-10 17:59 -------- d-----w- c:\windows\system32\drivers\N360
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Norton Security Suite
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Windows Sidebar
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\program files\NortonInstaller
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 11:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 14:02 . 2010-06-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 02:28 . 2010-06-10 15:35 -------- d-----w- C:\!KillBox
2010-06-02 20:20 . 2010-06-10 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-02 20:19 . 2010-06-02 20:54 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\NPE
2010-06-02 14:27 . 2010-06-02 15:55 -------- d-----w- c:\documents and settings\Johnny Pants\SecurityScans
2010-06-02 02:50 . 2010-06-02 17:36 -------- d-----w- C:\System Volume Information2
2010-06-01 20:29 . 2010-06-01 20:29 388096 ----a-r- c:\documents and settings\Johnny Pants\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 20:29 . 2010-06-01 20:29 -------- d-----w- c:\program files\Trend Micro
2010-06-01 19:29 . 2010-06-01 19:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-01 19:28 . 2010-06-01 19:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\program files\Seagate
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\Downloaded Installations
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\program files\MSXML 6.0
2010-05-21 19:31 . 2010-06-01 16:42 -------- d-----w- c:\program files\Carbonite
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 04:06 . 2004-04-10 16:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 00:00 . 2010-06-07 12:39 112 ----a-w- c:\documents and settings\All Users\Application Data\2cV2301.dat
2010-06-10 12:04 . 2004-06-12 03:13 -------- d-----w- c:\program files\Symantec
2010-06-10 12:04 . 2010-06-10 12:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-10 12:04 . 2010-06-10 12:04 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-10 12:02 . 2008-07-01 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-10 11:31 . 2002-08-29 07:27 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-08 11:17 . 2004-03-23 14:08 -------- d-----w- c:\program files\Java
2010-06-08 11:12 . 2009-11-12 18:26 -------- d-----w- c:\program files\Coupons
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-08 11:01 . 2004-06-12 03:03 -------- d-----w- c:\program files\Lavasoft
2010-06-08 11:01 . 2004-10-16 01:06 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Lavasoft
2010-06-07 12:46 . 2007-09-23 23:40 -------- d-----w- c:\program files\Google
2010-06-02 17:33 . 2007-10-23 18:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-01 18:46 . 2005-09-25 20:18 -------- d-----w- c:\program files\SpywareBlaster
2010-05-21 19:36 . 2007-02-12 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-13 09:57 . 2009-11-25 01:26 79488 ----a-w- c:\documents and settings\Johnny Pants\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 09:52 . 2004-04-02 02:56 98960 ----a-w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-04-24 02:29 . 2004-05-30 05:36 450 -c-ha-w- c:\program files\hpothb07.dat
2004-06-01 01:26 . 2004-05-30 05:36 50934 ---ha-w- c:\program files\hpothb07.tif
2004-05-30 05:37 . 2004-05-30 05:37 3005544 ----a-w- c:\program files\wedding card1.tif
2004-05-30 05:36 . 2004-05-30 05:36 9576032 ----a-w- c:\program files\wedding card.tif
2004-05-30 05:35 . 2004-05-30 05:35 9576008 ----a-w- c:\program files\Scan0001.tif
.
Code: Select all
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-03-23 14:22 . 2004-03-23 14:22 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-02-13 07:01 . 2003-02-13 07:01 155648 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2004-03-23 14:20 . 2003-08-27 01:47 204800 c:\program files\Dell\Media Experience\bak\PCMService.exe

2004-03-23 14:28 . 2004-09-23 00:20 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

2004-03-23 14:22 . 2004-12-25 17:15 77824 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-07-30 16:35 . 2002-07-30 16:35 77824 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-12-05 01:14 . 2003-06-11 07:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe

2004-12-05 01:14 . 2003-06-11 07:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe

2002-08-09 23:09 . 2002-08-09 23:09 118784 c:\windows\bak\MXOaldr.exe

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\ctfmon.exe

1980-01-01 06:00 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 06:00 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2002-03-19 22:30 . 2002-03-19 22:30 45632 c:\windows\SYSTEM32\bak\taskswitch.exe

2004-03-23 14:20 . 2003-08-06 07:04 114741 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\FileVOoM Pro\\FileVOoM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symds.sys [6/10/2010 9:43 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symefa.sys [6/10/2010 9:43 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [6/14/2010 12:55 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\cchpx86.sys [6/10/2010 9:43 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\ironx86.sys [6/10/2010 9:43 AM 116784]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/10/2010 9:42 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 7:22 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/10/2010 8:47 AM 331640]
S2 kkkkk;Command Service;c:\windows\Sm9obm55IFBhbnRz\command.exe --> c:\windows\Sm9obm55IFBhbnRz\command.exe [?]
S4 Seti;Seti;c:\windows\seti\SRVANY.EXE [6/11/2004 10:09 PM 13312]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-01-04 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4191349867.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: classmates.com\www
Trusted Zone: wnemail.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\ad
Trusted Zone: yahoo.com\ads.auctions
Trusted Zone: yahoo.com\adserver
Trusted Zone: yahoo.com\geo
Trusted Zone: yahoo.com\geocities
Trusted Zone: yahoo.com\images
Trusted Zone: yahoo.com\java
Trusted Zone: yahoo.com\java.europe
Trusted Zone: yahoo.com\promo
Trusted Zone: yahoo.com\promotions
Trusted Zone: yahoo.com\red.clientapps
Trusted Zone: yahoo.com\srd
Trusted Zone: yahoo.com\st21
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-eMusic Remote - c:\program files\eMusic Remote\uninst.exe
AddRemove-HijackThis - c:\docume~1\JOHNNY~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-15 20:40:15
ComboFix-quarantined-files.txt 2010-06-16 01:40

Pre-Run: 14,328,045,568 bytes free
Post-Run: 14,260,191,232 bytes free

- - End Of File - - E1250A245B00C94FA3EAFDD0A3E6371D
JohnnyB
Regular Member
 
Posts: 30
Joined: June 4th, 2010, 11:50 am

Re: Virus? denying access to security websites and redirecti

Unread postby Airscape » June 18th, 2010, 10:58 am

Sorry for the delay.


Please download a new copy of ComboFix.exe Here and copy/paste it onto the desktop before doing the following.


Run CFScript
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
  • Open Notepad (Start > All Programs > Accessories > Notepad)
  • Copy/Paste the following text Inside the code box into Notepad:

    Code: Select all
    KillAll::
    
    File::
    c:\documents and settings\All Users\Application Data\2cV2301.dat
    
    Driver::
    kkkkk
    
    Folder::
    C:\!KillBox
    c:\program files\Spybot - Search & Destroy
    c:\program files\Lavasoft
    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    c:\documents and settings\Johnny Pants\Application Data\Lavasoft
    c:\documents and settings\All Users\Application Data\McAfee
    c:\windows\Sm9obm55IFBhbnRz
    c:\program files\Coupons
    c:\program files\Common Files\Real\Update_OB\bak
    c:\program files\Common Files\Sonic\Update Manager\bak
    c:\program files\Dell\Media Experience\bak
    c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak
    c:\program files\QuickTime\bak
    c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak
    c:\program files\Visual Networks\Visual IP InSight\SBC\bak
    c:\windows\bak
    c:\windows\SYSTEM32\bak
    c:\windows\SYSTEM32\dla\bak
    
    RenV::
    c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
    c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
    c:\program files\Spybot - Search & Destroy\TeaTimer .exe
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Uniblue RegistryBooster 2"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
    
    DDS::
    Trusted Zone: classmates.com\www
    Trusted Zone: wnemail.com
    Trusted Zone: yahoo.com
    Trusted Zone: yahoo.com\ad
    Trusted Zone: yahoo.com\ads.auctions
    Trusted Zone: yahoo.com\adserver
    Trusted Zone: yahoo.com\geo
    Trusted Zone: yahoo.com\geocities
    Trusted Zone: yahoo.com\images
    Trusted Zone: yahoo.com\java
    Trusted Zone: yahoo.com\java.europe
    Trusted Zone: yahoo.com\promo
    Trusted Zone: yahoo.com\promotions
    Trusted Zone: yahoo.com\red.clientapps
    Trusted Zone: yahoo.com\srd
    Trusted Zone: yahoo.com\st21

  • Goto File > Save as... and save it CFScript.txt
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.
    Image
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  • The tool may require a reboot - this is normal.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Virus? denying access to security websites and redirecti

Unread postby JohnnyB » June 18th, 2010, 9:40 pm

Hi Airscape:

Below is the log from ComboFix

Thanks,
John


ComboFix 10-06-17.03 - Johnny Pants 06/18/2010 19:54:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.828 [GMT -5:00]
Running from: c:\documents and settings\Johnny Pants\Desktop\ComboFixdef.exe
Command switches used :: c:\documents and settings\Johnny Pants\Desktop\CFScript.txt.lnk
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-10 12:13 . 2010-06-10 12:13 -------- d-----w- C:\N360_BACKUP
2010-06-10 12:04 . 2010-06-10 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-10 12:04 . 2010-06-10 12:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 12:04 . 2010-06-10 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-10 12:04 . 2010-06-10 17:59 -------- d-----w- c:\windows\system32\drivers\N360
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Norton Security Suite
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Windows Sidebar
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\program files\NortonInstaller
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 11:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 14:02 . 2010-06-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 02:28 . 2010-06-10 15:35 -------- d-----w- C:\!KillBox
2010-06-02 20:20 . 2010-06-10 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-02 20:19 . 2010-06-02 20:54 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\NPE
2010-06-02 14:27 . 2010-06-02 15:55 -------- d-----w- c:\documents and settings\Johnny Pants\SecurityScans
2010-06-02 02:50 . 2010-06-02 17:36 -------- d-----w- C:\System Volume Information2
2010-06-01 20:29 . 2010-06-01 20:29 388096 ----a-r- c:\documents and settings\Johnny Pants\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 20:29 . 2010-06-01 20:29 -------- d-----w- c:\program files\Trend Micro
2010-06-01 19:29 . 2010-06-01 19:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-01 19:28 . 2010-06-01 19:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\program files\Seagate
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\Downloaded Installations
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\program files\MSXML 6.0
2010-05-21 19:31 . 2010-06-01 16:42 -------- d-----w- c:\program files\Carbonite
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 04:06 . 2004-04-10 16:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 00:00 . 2010-06-07 12:39 112 ----a-w- c:\documents and settings\All Users\Application Data\2cV2301.dat
2010-06-10 12:04 . 2004-06-12 03:13 -------- d-----w- c:\program files\Symantec
2010-06-10 12:04 . 2010-06-10 12:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-10 12:04 . 2010-06-10 12:04 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-10 12:02 . 2008-07-01 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-10 11:31 . 2002-08-29 07:27 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-08 11:17 . 2004-03-23 14:08 -------- d-----w- c:\program files\Java
2010-06-08 11:12 . 2009-11-12 18:26 -------- d-----w- c:\program files\Coupons
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-08 11:01 . 2004-06-12 03:03 -------- d-----w- c:\program files\Lavasoft
2010-06-08 11:01 . 2004-10-16 01:06 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Lavasoft
2010-06-07 12:46 . 2007-09-23 23:40 -------- d-----w- c:\program files\Google
2010-06-02 17:33 . 2007-10-23 18:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-01 18:46 . 2005-09-25 20:18 -------- d-----w- c:\program files\SpywareBlaster
2010-05-21 19:36 . 2007-02-12 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 09:57 . 2009-11-25 01:26 79488 ----a-w- c:\documents and settings\Johnny Pants\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 09:52 . 2004-04-02 02:56 98960 ----a-w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-04-24 02:29 . 2004-05-30 05:36 450 -c-ha-w- c:\program files\hpothb07.dat
2004-06-01 01:26 . 2004-05-30 05:36 50934 ---ha-w- c:\program files\hpothb07.tif
2004-05-30 05:37 . 2004-05-30 05:37 3005544 ----a-w- c:\program files\wedding card1.tif
2004-05-30 05:36 . 2004-05-30 05:36 9576032 ----a-w- c:\program files\wedding card.tif
2004-05-30 05:35 . 2004-05-30 05:35 9576008 ----a-w- c:\program files\Scan0001.tif
.
Code: Select all
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-06-16_01.33.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-18 21:02 . 2010-06-18 21:02 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
- 2004-03-23 14:00 . 2010-03-25 18:09 54280 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-03-23 14:00 . 2010-06-17 01:33 54280 c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-11-06 03:17 . 2009-11-06 03:17 11600 c:\windows\SYSTEM32\MUI\0409\mscorees.dll
+ 2010-03-05 14:57 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\DLLCACHE\asycfilt.dll
+ 2002-08-29 11:00 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\asycfilt.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-21 01:19 . 2003-02-21 01:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2009-12-18 10:05 . 2009-12-18 10:05 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\ViewerPS.dll
+ 2009-12-18 13:58 . 2009-12-18 13:58 40368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\reader_sl.exe
+ 2009-12-18 10:05 . 2009-12-18 10:05 67016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlrShim.exe
+ 2009-12-18 10:04 . 2009-12-18 10:04 83376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlr.dll
+ 2009-12-18 07:43 . 2009-12-18 07:43 95672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\nppdf32.dll
+ 2009-12-18 07:57 . 2009-12-18 07:57 13752 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32Info.exe
+ 2009-12-18 07:16 . 2009-12-18 07:16 65536 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\Acrofx32.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_dd86839b\System.Drawing.Design.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_4b448db8\CustomMarshalers.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2004-03-23 14:00 . 2010-06-17 01:33 384596 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-03-23 14:00 . 2010-03-25 18:09 384596 c:\windows\SYSTEM32\PERFH009.DAT
+ 2002-09-03 15:05 . 2010-06-17 23:54 345016 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-03 15:05 . 2010-04-13 09:50 345016 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2010-04-20 05:51 . 2010-04-20 05:51 285696 c:\windows\SYSTEM32\DLLCACHE\atmfd.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-03-31 19:49 . 2010-03-31 19:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2010-06-12 04:06 . 2010-06-12 04:06 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2010-06-12 04:06 . 2010-06-17 01:58 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2009-12-18 07:51 . 2009-12-18 07:51 372736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\pdfshell.dll
+ 2009-11-10 03:34 . 2009-11-10 03:34 448512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\JP2KLib.dll
+ 2009-12-18 07:14 . 2009-12-18 07:14 140728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeUpdateCheck.exe
+ 2009-12-18 09:55 . 2009-12-18 09:55 738776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeCollabSync.exe
+ 2009-12-18 08:21 . 2009-12-18 08:21 112048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRdIF.dll
+ 2009-12-18 13:58 . 2009-12-18 13:58 345520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.exe
+ 2009-12-18 07:17 . 2009-12-18 07:17 632240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroPDF.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_70bb1315\System.Drawing.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_970e73af\System.Drawing.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_20c7a827\CustomMarshalers.dll
+ 2004-03-23 14:29 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\WMVCore.dll
+ 2003-05-30 15:00 . 2010-02-05 18:40 1291264 c:\windows\SYSTEM32\quartz.dll
- 2003-05-30 15:00 . 2009-11-27 17:33 1291264 c:\windows\SYSTEM32\quartz.dll
+ 2004-03-23 14:29 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
+ 2002-08-29 11:00 . 2010-05-02 05:56 1850880 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
- 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2007-10-29 22:43 . 2010-02-05 18:40 1291264 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-02 18:53 . 2010-04-02 18:53 7220736 c:\windows\Installer\1a5f0c.msp
+ 2009-12-18 07:16 . 2009-12-18 07:16 1949696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\rt3d.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f321bba7\System.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_3bf33dab\System.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_fa0bb99c\System.Xml.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b8659476\System.Xml.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_9631cfc7\System.Windows.Forms.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_4e50e8ae\System.Windows.Forms.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_464ea75d\System.Drawing.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_d0cbb951\System.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_b5068736\System.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_eaa7d048\mscorlib.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_b4532440\mscorlib.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-17 00:03 . 2009-10-17 00:03 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-17 00:03 . 2009-10-17 00:03 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-06-18 01:18 . 2010-05-28 19:37 32472008 c:\windows\SYSTEM32\MRT.exe
+ 2010-04-03 00:29 . 2010-04-03 00:29 11413504 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp
+ 2010-04-02 17:30 . 2010-04-02 17:30 17456640 c:\windows\Installer\1a5f28.msp
+ 2009-12-18 13:30 . 2009-12-18 13:30 13313464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-03-23 14:22 . 2004-03-23 14:22 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-02-13 07:01 . 2003-02-13 07:01 155648 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2004-03-23 14:20 . 2003-08-27 01:47 204800 c:\program files\Dell\Media Experience\bak\PCMService.exe

2004-03-23 14:28 . 2004-09-23 00:20 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

2004-03-23 14:22 . 2004-12-25 17:15 77824 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-07-30 16:35 . 2002-07-30 16:35 77824 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-12-05 01:14 . 2003-06-11 07:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe

2004-12-05 01:14 . 2003-06-11 07:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe

2002-08-09 23:09 . 2002-08-09 23:09 118784 c:\windows\bak\MXOaldr.exe

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\ctfmon.exe

1980-01-01 06:00 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 06:00 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2002-03-19 22:30 . 2002-03-19 22:30 45632 c:\windows\SYSTEM32\bak\taskswitch.exe

2004-03-23 14:20 . 2003-08-06 07:04 114741 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\FileVOoM Pro\\FileVOoM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symds.sys [6/10/2010 9:43 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symefa.sys [6/10/2010 9:43 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [6/14/2010 12:55 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\cchpx86.sys [6/10/2010 9:43 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\ironx86.sys [6/10/2010 9:43 AM 116784]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/10/2010 9:42 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 7:22 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [6/18/2010 4:27 PM 331640]
S2 kkkkk;Command Service;c:\windows\Sm9obm55IFBhbnRz\command.exe --> c:\windows\Sm9obm55IFBhbnRz\command.exe [?]
S4 Seti;Seti;c:\windows\seti\SRVANY.EXE [6/11/2004 10:09 PM 13312]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-01-04 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4191349867.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: classmates.com\www
Trusted Zone: wnemail.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\ad
Trusted Zone: yahoo.com\ads.auctions
Trusted Zone: yahoo.com\adserver
Trusted Zone: yahoo.com\geo
Trusted Zone: yahoo.com\geocities
Trusted Zone: yahoo.com\images
Trusted Zone: yahoo.com\java
Trusted Zone: yahoo.com\java.europe
Trusted Zone: yahoo.com\promo
Trusted Zone: yahoo.com\promotions
Trusted Zone: yahoo.com\red.clientapps
Trusted Zone: yahoo.com\srd
Trusted Zone: yahoo.com\st21
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 20:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-18 20:09:47
ComboFix-quarantined-files.txt 2010-06-19 01:09
ComboFix2.txt 2010-06-16 01:40

Pre-Run: 13,999,517,696 bytes free
Post-Run: 13,984,120,832 bytes free

- - End Of File - - BDD270BF3867D6615C7BCB63B15ABF72
JohnnyB
Regular Member
 
Posts: 30
Joined: June 4th, 2010, 11:50 am

Re: Virus? denying access to security websites and redirecti

Unread postby JohnnyB » June 18th, 2010, 9:40 pm

Hi Airscape:

Below is the log from ComboFix

Thanks,
John


ComboFix 10-06-17.03 - Johnny Pants 06/18/2010 19:54:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.828 [GMT -5:00]
Running from: c:\documents and settings\Johnny Pants\Desktop\ComboFixdef.exe
Command switches used :: c:\documents and settings\Johnny Pants\Desktop\CFScript.txt.lnk
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-10 12:13 . 2010-06-10 12:13 -------- d-----w- C:\N360_BACKUP
2010-06-10 12:04 . 2010-06-10 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-10 12:04 . 2010-06-10 12:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 12:04 . 2010-06-10 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-10 12:04 . 2010-06-10 17:59 -------- d-----w- c:\windows\system32\drivers\N360
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Norton Security Suite
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Windows Sidebar
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\program files\NortonInstaller
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 11:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 14:02 . 2010-06-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 02:28 . 2010-06-10 15:35 -------- d-----w- C:\!KillBox
2010-06-02 20:20 . 2010-06-10 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-02 20:19 . 2010-06-02 20:54 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\NPE
2010-06-02 14:27 . 2010-06-02 15:55 -------- d-----w- c:\documents and settings\Johnny Pants\SecurityScans
2010-06-02 02:50 . 2010-06-02 17:36 -------- d-----w- C:\System Volume Information2
2010-06-01 20:29 . 2010-06-01 20:29 388096 ----a-r- c:\documents and settings\Johnny Pants\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 20:29 . 2010-06-01 20:29 -------- d-----w- c:\program files\Trend Micro
2010-06-01 19:29 . 2010-06-01 19:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-01 19:28 . 2010-06-01 19:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\program files\Seagate
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\Downloaded Installations
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\program files\MSXML 6.0
2010-05-21 19:31 . 2010-06-01 16:42 -------- d-----w- c:\program files\Carbonite
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 04:06 . 2004-04-10 16:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 00:00 . 2010-06-07 12:39 112 ----a-w- c:\documents and settings\All Users\Application Data\2cV2301.dat
2010-06-10 12:04 . 2004-06-12 03:13 -------- d-----w- c:\program files\Symantec
2010-06-10 12:04 . 2010-06-10 12:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-10 12:04 . 2010-06-10 12:04 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-10 12:02 . 2008-07-01 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-10 11:31 . 2002-08-29 07:27 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-08 11:17 . 2004-03-23 14:08 -------- d-----w- c:\program files\Java
2010-06-08 11:12 . 2009-11-12 18:26 -------- d-----w- c:\program files\Coupons
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-08 11:01 . 2004-06-12 03:03 -------- d-----w- c:\program files\Lavasoft
2010-06-08 11:01 . 2004-10-16 01:06 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Lavasoft
2010-06-07 12:46 . 2007-09-23 23:40 -------- d-----w- c:\program files\Google
2010-06-02 17:33 . 2007-10-23 18:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-01 18:46 . 2005-09-25 20:18 -------- d-----w- c:\program files\SpywareBlaster
2010-05-21 19:36 . 2007-02-12 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 09:57 . 2009-11-25 01:26 79488 ----a-w- c:\documents and settings\Johnny Pants\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 09:52 . 2004-04-02 02:56 98960 ----a-w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-04-24 02:29 . 2004-05-30 05:36 450 -c-ha-w- c:\program files\hpothb07.dat
2004-06-01 01:26 . 2004-05-30 05:36 50934 ---ha-w- c:\program files\hpothb07.tif
2004-05-30 05:37 . 2004-05-30 05:37 3005544 ----a-w- c:\program files\wedding card1.tif
2004-05-30 05:36 . 2004-05-30 05:36 9576032 ----a-w- c:\program files\wedding card.tif
2004-05-30 05:35 . 2004-05-30 05:35 9576008 ----a-w- c:\program files\Scan0001.tif
.
Code: Select all
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-06-16_01.33.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-18 21:02 . 2010-06-18 21:02 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
- 2004-03-23 14:00 . 2010-03-25 18:09 54280 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-03-23 14:00 . 2010-06-17 01:33 54280 c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-11-06 03:17 . 2009-11-06 03:17 11600 c:\windows\SYSTEM32\MUI\0409\mscorees.dll
+ 2010-03-05 14:57 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\DLLCACHE\asycfilt.dll
+ 2002-08-29 11:00 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\asycfilt.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-21 01:19 . 2003-02-21 01:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2009-12-18 10:05 . 2009-12-18 10:05 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\ViewerPS.dll
+ 2009-12-18 13:58 . 2009-12-18 13:58 40368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\reader_sl.exe
+ 2009-12-18 10:05 . 2009-12-18 10:05 67016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlrShim.exe
+ 2009-12-18 10:04 . 2009-12-18 10:04 83376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\PDFPrevHndlr.dll
+ 2009-12-18 07:43 . 2009-12-18 07:43 95672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\nppdf32.dll
+ 2009-12-18 07:57 . 2009-12-18 07:57 13752 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32Info.exe
+ 2009-12-18 07:16 . 2009-12-18 07:16 65536 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\Acrofx32.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_dd86839b\System.Drawing.Design.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_4b448db8\CustomMarshalers.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2004-03-23 14:00 . 2010-06-17 01:33 384596 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-03-23 14:00 . 2010-03-25 18:09 384596 c:\windows\SYSTEM32\PERFH009.DAT
+ 2002-09-03 15:05 . 2010-06-17 23:54 345016 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-03 15:05 . 2010-04-13 09:50 345016 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2010-04-20 05:51 . 2010-04-20 05:51 285696 c:\windows\SYSTEM32\DLLCACHE\atmfd.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-03-31 19:49 . 2010-03-31 19:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2010-06-12 04:06 . 2010-06-12 04:06 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2010-06-12 04:06 . 2010-06-17 01:58 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2009-12-18 07:51 . 2009-12-18 07:51 372736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\pdfshell.dll
+ 2009-11-10 03:34 . 2009-11-10 03:34 448512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\JP2KLib.dll
+ 2009-12-18 07:14 . 2009-12-18 07:14 140728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeUpdateCheck.exe
+ 2009-12-18 09:55 . 2009-12-18 09:55 738776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AdobeCollabSync.exe
+ 2009-12-18 08:21 . 2009-12-18 08:21 112048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRdIF.dll
+ 2009-12-18 13:58 . 2009-12-18 13:58 345520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.exe
+ 2009-12-18 07:17 . 2009-12-18 07:17 632240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroPDF.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_70bb1315\System.Drawing.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_970e73af\System.Drawing.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_20c7a827\CustomMarshalers.dll
+ 2004-03-23 14:29 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\WMVCore.dll
+ 2003-05-30 15:00 . 2010-02-05 18:40 1291264 c:\windows\SYSTEM32\quartz.dll
- 2003-05-30 15:00 . 2009-11-27 17:33 1291264 c:\windows\SYSTEM32\quartz.dll
+ 2004-03-23 14:29 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
+ 2002-08-29 11:00 . 2010-05-02 05:56 1850880 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
- 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2007-10-29 22:43 . 2010-02-05 18:40 1291264 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-02 18:53 . 2010-04-02 18:53 7220736 c:\windows\Installer\1a5f0c.msp
+ 2009-12-18 07:16 . 2009-12-18 07:16 1949696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\rt3d.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f321bba7\System.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_3bf33dab\System.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_fa0bb99c\System.Xml.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b8659476\System.Xml.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_9631cfc7\System.Windows.Forms.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_4e50e8ae\System.Windows.Forms.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_464ea75d\System.Drawing.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_d0cbb951\System.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_b5068736\System.Design.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_eaa7d048\mscorlib.dll
+ 2010-06-17 02:07 . 2010-06-17 02:07 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_b4532440\mscorlib.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-17 00:03 . 2009-10-17 00:03 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-17 00:03 . 2009-10-17 00:03 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-17 02:06 . 2010-06-17 02:06 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-06-18 01:18 . 2010-05-28 19:37 32472008 c:\windows\SYSTEM32\MRT.exe
+ 2010-04-03 00:29 . 2010-04-03 00:29 11413504 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp
+ 2010-04-02 17:30 . 2010-04-02 17:30 17456640 c:\windows\Installer\1a5f28.msp
+ 2009-12-18 13:30 . 2009-12-18 13:30 13313464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A0200000030\8.2.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-03-23 14:22 . 2004-03-23 14:22 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-02-13 07:01 . 2003-02-13 07:01 155648 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2004-03-23 14:20 . 2003-08-27 01:47 204800 c:\program files\Dell\Media Experience\bak\PCMService.exe

2004-03-23 14:28 . 2004-09-23 00:20 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

2004-03-23 14:22 . 2004-12-25 17:15 77824 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-07-30 16:35 . 2002-07-30 16:35 77824 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-12-05 01:14 . 2003-06-11 07:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe

2004-12-05 01:14 . 2003-06-11 07:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe

2002-08-09 23:09 . 2002-08-09 23:09 118784 c:\windows\bak\MXOaldr.exe

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\ctfmon.exe

1980-01-01 06:00 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 06:00 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2002-03-19 22:30 . 2002-03-19 22:30 45632 c:\windows\SYSTEM32\bak\taskswitch.exe

2004-03-23 14:20 . 2003-08-06 07:04 114741 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\FileVOoM Pro\\FileVOoM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symds.sys [6/10/2010 9:43 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symefa.sys [6/10/2010 9:43 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [6/14/2010 12:55 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\cchpx86.sys [6/10/2010 9:43 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\ironx86.sys [6/10/2010 9:43 AM 116784]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/10/2010 9:42 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 7:22 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [6/18/2010 4:27 PM 331640]
S2 kkkkk;Command Service;c:\windows\Sm9obm55IFBhbnRz\command.exe --> c:\windows\Sm9obm55IFBhbnRz\command.exe [?]
S4 Seti;Seti;c:\windows\seti\SRVANY.EXE [6/11/2004 10:09 PM 13312]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-01-04 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4191349867.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: classmates.com\www
Trusted Zone: wnemail.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\ad
Trusted Zone: yahoo.com\ads.auctions
Trusted Zone: yahoo.com\adserver
Trusted Zone: yahoo.com\geo
Trusted Zone: yahoo.com\geocities
Trusted Zone: yahoo.com\images
Trusted Zone: yahoo.com\java
Trusted Zone: yahoo.com\java.europe
Trusted Zone: yahoo.com\promo
Trusted Zone: yahoo.com\promotions
Trusted Zone: yahoo.com\red.clientapps
Trusted Zone: yahoo.com\srd
Trusted Zone: yahoo.com\st21
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 20:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-18 20:09:47
ComboFix-quarantined-files.txt 2010-06-19 01:09
ComboFix2.txt 2010-06-16 01:40

Pre-Run: 13,999,517,696 bytes free
Post-Run: 13,984,120,832 bytes free

- - End Of File - - BDD270BF3867D6615C7BCB63B15ABF72
JohnnyB
Regular Member
 
Posts: 30
Joined: June 4th, 2010, 11:50 am

Re: Virus? denying access to security websites and redirecti

Unread postby Airscape » June 20th, 2010, 8:16 pm

It seems there's a problem with the log. There should have been files deleted. Can you run the instructions again please.


Please download a new copy of ComboFix.exe Here and make sure it's on the desktop before doing the following.


Run CFScript
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
  • Open Notepad (Start > All Programs > Accessories > Notepad)
  • Copy/Paste the following text Inside the code box into Notepad:

    Code: Select all
    KillAll::
    
    File::
    c:\documents and settings\All Users\Application Data\2cV2301.dat
    
    Driver::
    kkkkk
    
    Folder::
    C:\!KillBox
    c:\program files\Spybot - Search & Destroy
    c:\program files\Lavasoft
    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    c:\documents and settings\Johnny Pants\Application Data\Lavasoft
    c:\documents and settings\All Users\Application Data\McAfee
    c:\windows\Sm9obm55IFBhbnRz
    c:\program files\Coupons
    c:\program files\Common Files\Real\Update_OB\bak
    c:\program files\Common Files\Sonic\Update Manager\bak
    c:\program files\Dell\Media Experience\bak
    c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak
    c:\program files\QuickTime\bak
    c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak
    c:\program files\Visual Networks\Visual IP InSight\SBC\bak
    c:\windows\bak
    c:\windows\SYSTEM32\bak
    c:\windows\SYSTEM32\dla\bak
    
    RenV::
    c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
    c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
    c:\program files\Spybot - Search & Destroy\TeaTimer .exe
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Uniblue RegistryBooster 2"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
    
    DDS::
    Trusted Zone: classmates.com\www
    Trusted Zone: wnemail.com
    Trusted Zone: yahoo.com
    Trusted Zone: yahoo.com\ad
    Trusted Zone: yahoo.com\ads.auctions
    Trusted Zone: yahoo.com\adserver
    Trusted Zone: yahoo.com\geo
    Trusted Zone: yahoo.com\geocities
    Trusted Zone: yahoo.com\images
    Trusted Zone: yahoo.com\java
    Trusted Zone: yahoo.com\java.europe
    Trusted Zone: yahoo.com\promo
    Trusted Zone: yahoo.com\promotions
    Trusted Zone: yahoo.com\red.clientapps
    Trusted Zone: yahoo.com\srd
    Trusted Zone: yahoo.com\st21

  • Save this as CFScript.txt in the same location as ComboFix.exe
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.
    Image
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  • The tool may require a reboot - this is normal.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Virus? denying access to security websites and redirecti

Unread postby JohnnyB » June 23rd, 2010, 11:21 am

Hi Airscape:

As I downloaded ComboFix the box below appeared on the screen. I was a little skeptical and left the box alone.

(Virus Box 1 image)

I checked task manager and this was the related info I found.

(Virus Box 2 image)
(Virus Box 3 image)

Below is the log from running CFScript and ComboFix.

Thanks for all your help,
John

ComboFix 10-06-22.03 - Johnny Pants 06/23/2010 9:44.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.831 [GMT -5:00]
Running from: c:\documents and settings\Johnny Pants\My Documents\downloads\ComboFixghi.exe
Command switches used :: c:\documents and settings\Johnny Pants\Desktop\CFScript.txt.lnk
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-10 12:13 . 2010-06-10 12:13 -------- d-----w- C:\N360_BACKUP
2010-06-10 12:04 . 2010-06-10 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-10 12:04 . 2010-06-10 12:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 12:04 . 2010-06-10 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-10 12:04 . 2010-06-10 17:59 -------- d-----w- c:\windows\system32\drivers\N360
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Norton Security Suite
2010-06-10 12:04 . 2010-06-10 12:04 -------- d-----w- c:\program files\Windows Sidebar
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\program files\NortonInstaller
2010-06-10 12:01 . 2010-06-10 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 11:52 . 2010-06-08 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 11:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 14:02 . 2010-06-07 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-07 12:45 . 2010-06-07 12:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 02:28 . 2010-06-10 15:35 -------- d-----w- C:\!KillBox
2010-06-02 20:20 . 2010-06-10 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-02 20:19 . 2010-06-02 20:54 -------- d-----w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\NPE
2010-06-02 14:27 . 2010-06-02 15:55 -------- d-----w- c:\documents and settings\Johnny Pants\SecurityScans
2010-06-02 02:50 . 2010-06-02 17:36 -------- d-----w- C:\System Volume Information2
2010-06-01 20:29 . 2010-06-01 20:29 388096 ----a-r- c:\documents and settings\Johnny Pants\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 20:29 . 2010-06-01 20:29 -------- d-----w- c:\program files\Trend Micro
2010-06-01 19:29 . 2010-06-01 19:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-01 19:28 . 2010-06-01 19:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 15:50 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-01 15:49 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 04:06 . 2004-04-10 16:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 00:00 . 2010-06-07 12:39 112 ----a-w- c:\documents and settings\All Users\Application Data\2cV2301.dat
2010-06-10 12:04 . 2004-06-12 03:13 -------- d-----w- c:\program files\Symantec
2010-06-10 12:04 . 2010-06-10 12:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-10 12:04 . 2010-06-10 12:04 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-10 12:02 . 2008-07-01 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-10 11:31 . 2002-08-29 07:27 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-08 11:17 . 2004-03-23 14:08 -------- d-----w- c:\program files\Java
2010-06-08 11:12 . 2009-11-12 18:26 -------- d-----w- c:\program files\Coupons
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-08 11:04 . 2004-10-16 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-08 11:01 . 2004-06-12 03:03 -------- d-----w- c:\program files\Lavasoft
2010-06-08 11:01 . 2004-10-16 01:06 -------- d-----w- c:\documents and settings\Johnny Pants\Application Data\Lavasoft
2010-06-07 12:46 . 2007-09-23 23:40 -------- d-----w- c:\program files\Google
2010-06-02 17:33 . 2007-10-23 18:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-01 18:46 . 2005-09-25 20:18 -------- d-----w- c:\program files\SpywareBlaster
2010-06-01 16:42 . 2010-05-21 19:31 -------- d-----w- c:\program files\Carbonite
2010-05-21 19:36 . 2007-02-12 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\program files\Seagate
2010-05-21 19:35 . 2010-05-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-21 19:31 . 2010-05-21 19:31 -------- d-----w- c:\program files\MSXML 6.0
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 09:57 . 2009-11-25 01:26 79488 ----a-w- c:\documents and settings\Johnny Pants\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 09:52 . 2004-04-02 02:56 98960 ----a-w- c:\documents and settings\Johnny Pants\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-04-24 02:29 . 2004-05-30 05:36 450 -c-ha-w- c:\program files\hpothb07.dat
2004-06-01 01:26 . 2004-05-30 05:36 50934 ---ha-w- c:\program files\hpothb07.tif
2004-05-30 05:37 . 2004-05-30 05:37 3005544 ----a-w- c:\program files\wedding card1.tif
2004-05-30 05:36 . 2004-05-30 05:36 9576032 ----a-w- c:\program files\wedding card.tif
2004-05-30 05:35 . 2004-05-30 05:35 9576008 ----a-w- c:\program files\Scan0001.tif
.
Code: Select all
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>


((((((((((((((((((((((((((((( SnapShot_2010-06-19_01.05.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-23 14:03 . 2010-06-23 14:03 16384 c:\windows\Temp\Perflib_Perfdata_6c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-03-23 14:22 . 2004-03-23 14:22 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-02-13 07:01 . 2003-02-13 07:01 155648 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2004-03-23 14:20 . 2003-08-27 01:47 204800 c:\program files\Dell\Media Experience\bak\PCMService.exe

2004-03-23 14:28 . 2004-09-23 00:20 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

2004-03-23 14:22 . 2004-12-25 17:15 77824 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-07-30 16:35 . 2002-07-30 16:35 77824 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-12-05 01:14 . 2003-06-11 07:52 380928 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe

2004-12-05 01:14 . 2003-06-11 07:52 122880 c:\program files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe

2002-08-09 23:09 . 2002-08-09 23:09 118784 c:\windows\bak\MXOaldr.exe

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\ctfmon.exe

1980-01-01 06:00 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 06:00 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2002-03-19 22:30 . 2002-03-19 22:30 45632 c:\windows\SYSTEM32\bak\taskswitch.exe

2004-03-23 14:20 . 2003-08-06 07:04 114741 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\FileVOoM Pro\\FileVOoM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symds.sys [6/10/2010 9:43 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\symefa.sys [6/10/2010 9:43 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/22/2010 5:36 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\cchpx86.sys [6/10/2010 9:43 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0402000.00C\ironx86.sys [6/10/2010 9:43 AM 116784]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/10/2010 9:42 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 7:22 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100622.001\IDSXpx86.sys [6/22/2010 8:39 PM 331640]
S2 kkkkk;Command Service;c:\windows\Sm9obm55IFBhbnRz\command.exe --> c:\windows\Sm9obm55IFBhbnRz\command.exe [?]
S4 Seti;Seti;c:\windows\seti\SRVANY.EXE [6/11/2004 10:09 PM 13312]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-01-04 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4191349867.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: classmates.com\www
Trusted Zone: wnemail.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\ad
Trusted Zone: yahoo.com\ads.auctions
Trusted Zone: yahoo.com\adserver
Trusted Zone: yahoo.com\geo
Trusted Zone: yahoo.com\geocities
Trusted Zone: yahoo.com\images
Trusted Zone: yahoo.com\java
Trusted Zone: yahoo.com\java.europe
Trusted Zone: yahoo.com\promo
Trusted Zone: yahoo.com\promotions
Trusted Zone: yahoo.com\red.clientapps
Trusted Zone: yahoo.com\srd
Trusted Zone: yahoo.com\st21
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Johnny Pants\Application Data\Mozilla\Firefox\Profiles\xikpd5yo.default\extensions\{f2257711-226b-4529-8e1d-e82e1c55ebd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Johnny Pants\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 09:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1720)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-23 09:58:11
ComboFix-quarantined-files.txt 2010-06-23 14:58
ComboFix2.txt 2010-06-19 01:09
ComboFix3.txt 2010-06-16 01:40

Pre-Run: 13,804,548,096 bytes free
Post-Run: 13,785,939,968 bytes free

- - End Of File - - CEE5C523311E6FB59E889026897C2FA0
You do not have the required permissions to view the files attached to this post.
JohnnyB
Regular Member
 
Posts: 30
Joined: June 4th, 2010, 11:50 am

Re: Virus? denying access to security websites and redirecti

Unread postby Airscape » June 23rd, 2010, 7:51 pm

Hi, still the same problem, you seem to be running Combofix from the downloads folder, and using a shortcut for the CFScript.
Running from: c:\documents and settings\Johnny Pants\My Documents\downloads\ComboFixghi.exe
Command switches used :: c:\documents and settings\Johnny Pants\Desktop\CFScript.txt.lnk



Please do this:

Delete these and ALL CF and CFScripts in the downloads folder:
c:\documents and settings\Johnny Pants\My Documents\downloads\ComboFixghi.exe
c:\documents and settings\Johnny Pants\Desktop\CFScript.txt.lnk


Turn off Norton Internet Security

  • Start Norton Internet Security.
  • In the left pane, click Status & Settings.
  • Click Security.
  • Click Turn off.

Download a new copy of ComboFix.exe Here and save it directly to your desktop
Do not rename it unless instructed.

Now open Notepad (start > run > type notepad > ok)

Copy/Paste the following text Inside the code box into Notepad:

Code: Select all
KillAll::

File::
c:\documents and settings\All Users\Application Data\2cV2301.dat

Driver::
kkkkk

Folder::
C:\!KillBox
c:\program files\Spybot - Search & Destroy
c:\program files\Lavasoft
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
c:\documents and settings\Johnny Pants\Application Data\Lavasoft
c:\documents and settings\All Users\Application Data\McAfee
c:\windows\Sm9obm55IFBhbnRz
c:\program files\Coupons
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Sonic\Update Manager\bak
c:\program files\Dell\Media Experience\bak
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak
c:\program files\QuickTime\bak
c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak
c:\program files\Visual Networks\Visual IP InSight\SBC\bak
c:\windows\bak
c:\windows\SYSTEM32\bak
c:\windows\SYSTEM32\dla\bak

RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]

DDS::
Trusted Zone: classmates.com\www
Trusted Zone: wnemail.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\ad
Trusted Zone: yahoo.com\ads.auctions
Trusted Zone: yahoo.com\adserver
Trusted Zone: yahoo.com\geo
Trusted Zone: yahoo.com\geocities
Trusted Zone: yahoo.com\images
Trusted Zone: yahoo.com\java
Trusted Zone: yahoo.com\java.europe
Trusted Zone: yahoo.com\promo
Trusted Zone: yahoo.com\promotions
Trusted Zone: yahoo.com\red.clientapps
Trusted Zone: yahoo.com\srd
Trusted Zone: yahoo.com\st21


Save this file as CFScript.txt to your desktop.

Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.

Image
When finished, it shall produce a log for you. Please post this log in your next reply, it can also be found at C:\ComboFix.txt.
The tool may require a reboot - this is normal.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Virus? denying access to security websites and redirecti

Unread postby NonSuch » June 27th, 2010, 12:10 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware