Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hit by malware/trojan horse/virus, now Firefox is hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hit by malware/trojan horse/virus, now Firefox is hijacked

Unread postby nvguy » February 26th, 2011, 3:41 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:47 AM, on 2/26/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ZoneLabs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG10\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar -

{3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program

Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program

Files\ZoneLabs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media

Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program

Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. -

C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software

Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3915 bytes

-----

Uninstall list:

Ad-Aware
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
AfterWorld Alpha
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 2011
AVG 2011
AVG 2011
AVG PC Tuneup 2011
Compatibility Pack for the 2007 Office system
Convert Doc
DivX Setup
Entropia Universe
Final Draft 6
Full Tilt Poker
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Image Resizer Powertoy for Windows XP
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Masque World Class Poker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB927978)
Nero 7 Essentials
Nero Suite
NET Installation Assistance for VB6 App (Runtime Only)
OpenAL
Opera 10.50
PCTEL 2304WT V.9x MDC Modem Drivers
PokerStars
PowerDVD 5.7
Safari
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shogun Total War - Battle Trainer Test
Spybot - Search & Destroy
The Unblock Websites Proxy Program (a freeware Websites Proxy P
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
ZoneAlarm

-----

Description of problem.

Two days ago I was doing a search on the web (a job site) and
suddenly got a bogus looking screen that said my computer is
infected. I tried to run Spybot, Ad-aware, and Hijackthis,
and Task Manager, but in each case it said the respective programs
were infected.

I did a safe boot (F8) and told the PC to boot with a version of
one week ago. It booted without the bogus messages, but now when
I run Firefox a new window comes up pointing me to phony looking
"contest and prizes" sites, along with an ID apparently from the
malware creator. Sometimes it even opens google.com with an ID
attached to it. (I can add the full sites if you'd like.)
I installed AVG and did a full scan but it didn't turn up anything.

Now the computer runs at an EXTREMELY slow snails pace and the
bogus windows keep coming up.

Thanks in advance for your help.
Yes, this is a home computer.
Also, any suggestions for software or freeware that would prevent
this in the future would be appreciated.

nvguy
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm
Advertisement
Register to Remove

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 27th, 2011, 3:27 am

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 27th, 2011, 3:35 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi nvguy

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista or Windows7, it will be necessary to right click all tools we use and select ----> Run as Administrator
Important As I said earlier removing Malware is a potentially hazardous thing to do, so to increase our chances of recovery in the event of something unexpected happening, I'd like you to make a backup of your Registry before we start to clean your computer.
  • Download ERUNT to your desktop
  • Alternate Download
  • Double-click on erunt_setup.exe to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt.
  • Accept the default options for running a backup.
  • Erunt will then backup your registry.
  • Click OK to finish.
  • If you are unable to back up your Registry with ERUNT ....
    • Let me know.
    • Do not follow any further instructions until I tell you to.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Before we start, may I draw your attention to the following forum rule .... HERE .... I ask that you pay particular attention to the section on XP computers with Service Pack 2 installed.

Windows XP SP 2 must be updated to SP3 once the computer is free from infection.


If that requirement is not acceptable to you, please let me know now.

Next


  • Download MGA Diagnostic Tool to your Desktop.
  • Double click MGADiag.exe to launch the programme.
  • Click Continue and let the scan run.
  • When finished it will have created a log.
  • Click Copy.
  • Next open Notepad.
    • Click Start > Run type Notepad click OK.
    • This will open an empty Notepad file.
    • Right click in the empty file and choose Paste to copy the log from MGA Diagnostics into it.
    • Save the file to your Desktop.
  • Close MGA Diagnostic Tool.
  • Copy/Paste the log in your next reply please.

Next

Download DDS and save it to your Desktop (must be in this location).
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both to your Desktop.
  • Copy/Paste the contents of both into your next reply please.

Summary of the logs I need from you in your next post:
  • DDS.txt
  • Attach.txt
  • MGA Diagnostic log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 5:20 pm

Gary,

Thank you for your reply. For someone who is reasonably computer literate I'm surprised that I didn't know Microsoft dropped support for XP SP2. I'll update is to SP3 when you say the word.

While I was waiting to here from you I read several posts and they said to delete AVG and Ad Aware, so I went ahead and deleted them. Some fragments are showing up in the log files though. I'll wait to hear from you before doing anything else on the computer.

The damaged computer can now only boot into safe mode and can't access the internet. Fortunately I have a physically damaged laptop that still works on the web so I was able to download the file. All three logs are attached below.

Can you point me to a link or suggest software I should have running to prevent problems like this in the future?

Thanks,

nvguy
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 5:33 pm

[PS I forgot to mention that it only boots into Active Desktop Recovery and when I click Restore my Active Desktop I get the message: "An error has occurred in the script on this page" and points to Desktop.htt. I did manage to copy my needed files to a usb drive so that part is okay.]



MGA report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 76487-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {26F53FC7-682F-43D8-9E38-BDE0F7B96446}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.5.540.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.5.540.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{26F53FC7-682F-43D8-9E38-BDE0F7B96446}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>76487-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1708537768-854245398-2146880243</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Latitude C610 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A16</Version><SMBIOSVersion major="2" minor="3"/><Date>20030516000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>7DCA3107018400DE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.5.540.0"/><File Name="WgaLogon.dll" Version="1.5.540.0"/></GANotification></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: C000:Dell Inc|C000:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 5:34 pm

DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 12:24:30.41 on Sun 02/27/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.235 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ZoneLabs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ZoneAlarm Client] "c:\program files\zonelabs\zonealarm\zlclient.exe"
uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\f4s0qjsz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-5 64288]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-16 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [2006-12-8 171520]

=============== Created Last 30 ================

2011-02-25 04:10:23 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-02-25 04:05:27 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-25 04:01:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-25 03:16:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-25 03:03:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-25 03:03:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-25 02:55:39 -------- d-----w- c:\program files\UWPP
2011-02-25 02:25:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-02-25 01:37:03 -------- d-----w- c:\program files\AVAST Software
2011-02-25 01:37:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-02-24 23:41:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\oCiJlBg08200
2011-02-22 01:35:21 -------- d-----w- C:\dev
2011-02-14 19:01:30 -------- d-----w- c:\program files\MSECache
2011-02-14 18:47:12 24 ----a-w- c:\windows\SW_Win3112X32.DLL
2011-02-12 03:38:53 -------- d-----w- c:\program files\AfterWorld3

==================== Find3M ====================

2011-01-19 00:01:00 1119232 ----a-w- c:\windows\system32\tx16.dll
2011-01-18 13:34:00 582144 ----a-w- c:\windows\system32\tx16_rtf.dll
2011-01-18 12:01:00 155136 ----a-w- c:\windows\system32\tx16_ic.dll
2011-01-18 09:33:00 687104 ----a-w- c:\windows\system32\tx16_pdf.dll
2011-01-17 12:02:00 241664 ----a-w- c:\windows\system32\tx16_tls.dll
2011-01-17 11:05:00 573440 ----a-w- c:\windows\system32\tx16_htm.dll
2011-01-17 10:08:00 435200 ----a-w- c:\windows\system32\tx16_css.dll
2011-01-17 09:20:00 187904 ----a-w- c:\windows\system32\tx16_jpg.flt
2011-01-17 09:12:00 1047552 ----a-w- c:\windows\system32\tx16_dox.dll
2011-01-05 16:54:14 2965504 ----a-w- c:\windows\system32\beconvlib.dll
2011-01-04 05:51:16 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-04 05:51:16 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-23 20:25:44 327680 ----a-w- c:\windows\system32\WordConverterX2.ocx
2010-12-22 13:22:00 706048 ----a-w- c:\windows\system32\tx16_doc.dll
2010-12-15 11:00:00 380928 ----a-w- c:\windows\system32\tx4ole16.ocx
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS424030M9AT00 rev.MAAOA71A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82F87439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f8d7b8]; MOV EAX, [0x82f8d834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x82F3FAB8]
3 CLASSPNP[0xF873705B] -> nt!IofCallDriver[0x804E37C5] -> [0x82F32680]
\Driver\atapi[0x82F11530] -> IRP_MJ_CREATE -> 0x82F87439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS424030M9AT00_________________MAAOA71A#5&32fa7f7a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F8727F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:26:13.93 ===============
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 5:36 pm

Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/18/2006 8:59:42 AM
System Uptime: 2/27/2011 4:26:33 AM (8 hours ago)

Motherboard: Dell Computer Corporation | | Latitude C610
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 996/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 13.943 GiB free.
D: is CDROM (CDFS)
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell TrueMobile 1150 Series Mini PCI Card
Device ID: PCMCIA\DELL-TRUEMOBILE_1150_SERIES_PC_CARD-C043\1
Manufacturer: Dell Corporation
Name: Dell TrueMobile 1150 Series Mini PCI Card
PNP Device ID: PCMCIA\DELL-TRUEMOBILE_1150_SERIES_PC_CARD-C043\1
Service: wldel48b

==== System Restore Points ===================

RP232: 2/1/2011 9:56:01 PM - System Checkpoint
RP233: 2/2/2011 11:08:55 PM - System Checkpoint
RP234: 2/3/2011 11:35:11 PM - System Checkpoint
RP235: 2/4/2011 11:43:16 PM - System Checkpoint
RP236: 2/6/2011 12:26:22 AM - System Checkpoint
RP237: 2/7/2011 12:32:37 AM - System Checkpoint
RP238: 2/8/2011 2:48:48 AM - System Checkpoint
RP239: 2/9/2011 3:49:31 AM - System Checkpoint
RP240: 2/10/2011 4:02:59 AM - System Checkpoint
RP241: 2/11/2011 6:01:54 AM - System Checkpoint
RP242: 2/12/2011 8:02:03 AM - System Checkpoint
RP243: 2/13/2011 8:34:14 AM - System Checkpoint
RP244: 2/14/2011 11:01:55 AM - Installed Compatibility Pack for the 2007 Office system
RP245: 2/15/2011 11:55:04 AM - System Checkpoint
RP246: 2/16/2011 6:32:04 PM - System Checkpoint
RP247: 2/17/2011 10:21:16 PM - System Checkpoint
RP248: 2/18/2011 11:48:10 PM - System Checkpoint
RP249: 2/20/2011 2:18:55 AM - System Checkpoint
RP250: 2/22/2011 10:48:40 PM - System Checkpoint
RP251: 2/23/2011 10:56:34 PM - System Checkpoint
RP252: 2/24/2011 6:55:17 PM - Restore Operation
RP253: 2/24/2011 7:59:59 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP254: 2/24/2011 8:00:18 PM - Installed AVG 2011
RP255: 2/24/2011 8:01:04 PM - Installed AVG 2011
RP256: 2/26/2011 8:38:27 PM - System Checkpoint

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
AfterWorld Alpha
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Compatibility Pack for the 2007 Office system
Convert Doc
DivX Setup
Entropia Universe
ERUNT 1.1j
Final Draft 6
Full Tilt Poker
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Image Resizer Powertoy for Windows XP
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Masque World Class Poker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB927978)
Nero 7 Essentials
Nero Suite
NET Installation Assistance for VB6 App (Runtime Only)
OpenAL
Opera 10.50
PCTEL 2304WT V.9x MDC Modem Drivers
Poker4ever
PokerStars
PowerDVD 5.7
Safari
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shogun Total War - Battle Trainer Test
Spybot - Search & Destroy
The Unblock Websites Proxy Program (a freeware Websites Proxy P
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
ZoneAlarm

==== Event Viewer Messages From Past Week ========

2/26/2011 2:04:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
2/26/2011 2:04:05 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/25/2011 4:02:29 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\wuweb.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.8.0.2469.
2/24/2011 8:08:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
2/24/2011 8:08:56 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 6:51:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswRdr aswSnx aswSP aswTdi Cinemsup Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip vsdatant
2/24/2011 6:37:17 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/24/2011 6:30:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SMR161.SYS' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/24/2011 5:37:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/24/2011 5:09:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/24/2011 5:09:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2011 5:08:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cinemsup Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip vsdatant
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 4:35:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
2/24/2011 4:35:39 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 4:35:34 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 4:35:34 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/24/2011 4:35:34 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/24/2011 3:52:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.
2/24/2011 3:52:31 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 3:52:07 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
2/22/2011 1:29:33 PM, error: Dhcp [1002] - The IP address lease 75.141.202.174 for the Network Card with network address 00065BE2E910 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 27th, 2011, 6:43 pm

Looks like you have one of the TDL rootkit variants.

Download TDSSKiller.zip and extract it to your Desktop.

  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished a list of detected items should be displayed.
  • Check to make sure the Cure option is selected in the drop down options. If cure is not available DO NOT select either Delete or Quarantine, just select Skip and let me know.
  • Please click on Continue
  • TDSSKiller will now attempt to clean the infection from your computer.
  • It will now ask for a reboot to complete the process, please click on Reboot now
  • When finished re-booting, a log of the cleanup will be found at C:\TDSSKiller.2.4.0.0_DD.MM.YYYY_HH.MM.SS_log.txt (where DD.MM.YYYY_HH.MM.SS are the date and time the tool was run)
  • Post the contents in your next reply please.

Next

Please download Malwarebytes' Anti-Malware to your Desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Next

Please run a new scan with DDS and post me the new DDS.txt and Attach.txt logs please.

Summary of the logs I need from you in your next post:
  • TDSSKiller log
  • MBAM log
  • new DDS.txt
  • new Attach.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 10:17 pm

TDSKiller log:

2011/02/27 17:06:03.0256 3432 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/27 17:06:05.0278 3432 ================================================================================
2011/02/27 17:06:05.0278 3432 SystemInfo:
2011/02/27 17:06:05.0278 3432
2011/02/27 17:06:05.0278 3432 OS Version: 5.1.2600 ServicePack: 2.0
2011/02/27 17:06:05.0278 3432 Product type: Workstation
2011/02/27 17:06:05.0278 3432 ComputerName: COMPUTER
2011/02/27 17:06:05.0278 3432 UserName: User
2011/02/27 17:06:05.0278 3432 Windows directory: C:\WINDOWS
2011/02/27 17:06:05.0278 3432 System windows directory: C:\WINDOWS
2011/02/27 17:06:05.0278 3432 Processor architecture: Intel x86
2011/02/27 17:06:05.0278 3432 Number of processors: 1
2011/02/27 17:06:05.0278 3432 Page size: 0x1000
2011/02/27 17:06:05.0278 3432 Boot type: Normal boot
2011/02/27 17:06:05.0278 3432 ================================================================================
2011/02/27 17:06:05.0899 3432 Initialize success
2011/02/27 17:06:18.0538 3452 ================================================================================
2011/02/27 17:06:18.0538 3452 Scan started
2011/02/27 17:06:18.0538 3452 Mode: Manual;
2011/02/27 17:06:18.0538 3452 ================================================================================
2011/02/27 17:06:19.0219 3452 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/02/27 17:06:19.0419 3452 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/27 17:06:19.0689 3452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/27 17:06:19.0940 3452 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/02/27 17:06:20.0170 3452 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/02/27 17:06:20.0290 3452 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/27 17:06:20.0991 3452 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/27 17:06:21.0271 3452 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/27 17:06:21.0642 3452 ati2mtag (e82021ab2021a618199709af5da58074) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/02/27 17:06:21.0842 3452 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/27 17:06:22.0023 3452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/27 17:06:22.0173 3452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/27 17:06:22.0353 3452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/27 17:06:22.0503 3452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/27 17:06:22.0734 3452 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/27 17:06:22.0844 3452 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/27 17:06:23.0044 3452 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/02/27 17:06:23.0254 3452 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys
2011/02/27 17:06:23.0395 3452 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/27 17:06:23.0615 3452 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/27 17:06:23.0915 3452 cs429x (53e6f4b94eb64438164348df7dcf35c5) C:\WINDOWS\system32\drivers\cwawdm.sys
2011/02/27 17:06:24.0226 3452 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/27 17:06:24.0436 3452 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/27 17:06:24.0686 3452 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/27 17:06:24.0857 3452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/27 17:06:24.0977 3452 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/27 17:06:25.0237 3452 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/27 17:06:25.0437 3452 EL90XBC (b61eaf446adf55cc0d0d5c5bbd3d1cae) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/02/27 17:06:25.0608 3452 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/27 17:06:25.0818 3452 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/27 17:06:25.0928 3452 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/27 17:06:26.0118 3452 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/27 17:06:26.0319 3452 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/27 17:06:26.0519 3452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/27 17:06:26.0599 3452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/27 17:06:26.0799 3452 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/27 17:06:27.0010 3452 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/27 17:06:27.0190 3452 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/27 17:06:27.0510 3452 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/27 17:06:27.0731 3452 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/27 17:06:27.0961 3452 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/27 17:06:28.0171 3452 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/27 17:06:28.0392 3452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/27 17:06:28.0612 3452 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/27 17:06:28.0812 3452 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/27 17:06:28.0912 3452 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/27 17:06:29.0113 3452 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/27 17:06:29.0203 3452 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/27 17:06:29.0393 3452 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/27 17:06:29.0503 3452 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/27 17:06:29.0694 3452 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/27 17:06:29.0944 3452 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/27 17:06:30.0214 3452 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/02/27 17:06:30.0525 3452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/27 17:06:30.0615 3452 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/27 17:06:30.0825 3452 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/27 17:06:30.0925 3452 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/27 17:06:31.0116 3452 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/27 17:06:31.0216 3452 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/27 17:06:31.0376 3452 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/27 17:06:31.0566 3452 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/27 17:06:31.0656 3452 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/27 17:06:31.0827 3452 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/27 17:06:31.0927 3452 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/27 17:06:32.0107 3452 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/27 17:06:32.0197 3452 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/27 17:06:32.0428 3452 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/27 17:06:32.0678 3452 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/27 17:06:32.0858 3452 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/27 17:06:33.0058 3452 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/27 17:06:33.0259 3452 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/27 17:06:33.0489 3452 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/27 17:06:33.0719 3452 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/27 17:06:33.0960 3452 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/27 17:06:34.0080 3452 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/27 17:06:34.0300 3452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/27 17:06:34.0400 3452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/27 17:06:34.0541 3452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/27 17:06:34.0631 3452 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/02/27 17:06:34.0721 3452 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/27 17:06:34.0901 3452 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/27 17:06:34.0991 3452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/27 17:06:35.0191 3452 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/27 17:06:35.0512 3452 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/02/27 17:06:36.0113 3452 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/27 17:06:36.0373 3452 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/27 17:06:36.0614 3452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/27 17:06:36.0824 3452 Ptserial (6a3fbbbba5f228b003ef64070f7b3fe4) C:\WINDOWS\system32\DRIVERS\ptserial.sys
2011/02/27 17:06:36.0904 3452 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/27 17:06:37.0345 3452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/27 17:06:37.0625 3452 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/27 17:06:38.0026 3452 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/27 17:06:38.0176 3452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/27 17:06:38.0286 3452 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/27 17:06:38.0536 3452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/27 17:06:38.0757 3452 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/27 17:06:38.0947 3452 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/27 17:06:39.0157 3452 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/27 17:06:39.0428 3452 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/27 17:06:39.0728 3452 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/27 17:06:39.0788 3452 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/27 17:06:39.0948 3452 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/27 17:06:40.0199 3452 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/27 17:06:40.0419 3452 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/27 17:06:40.0719 3452 srescan (bb1cc49b817d2551eb321f4a9afb7d8c) C:\WINDOWS\system32\ZoneLabs\srescan.sys
2011/02/27 17:06:40.0940 3452 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/27 17:06:41.0170 3452 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/27 17:06:41.0290 3452 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/27 17:06:41.0901 3452 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/27 17:06:42.0442 3452 Tcpip (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/27 17:06:42.0682 3452 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/27 17:06:42.0832 3452 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/27 17:06:42.0923 3452 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/27 17:06:43.0163 3452 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/27 17:06:43.0363 3452 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/27 17:06:43.0513 3452 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/27 17:06:43.0694 3452 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/27 17:06:43.0784 3452 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/27 17:06:43.0964 3452 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/27 17:06:44.0064 3452 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/27 17:06:44.0234 3452 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/02/27 17:06:44.0485 3452 Vmodem (09c2fcd4e379e6ab804a58caa2a3508b) C:\WINDOWS\system32\DRIVERS\vmodem.sys
2011/02/27 17:06:44.0735 3452 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/27 17:06:44.0925 3452 Vpctcom (081bc31edda73d40defd347e580f9144) C:\WINDOWS\system32\DRIVERS\vpctcom.sys
2011/02/27 17:06:45.0166 3452 vsdatant (13a225a31f8d64a395373e9434d2d1ab) C:\WINDOWS\system32\vsdatant.sys
2011/02/27 17:06:45.0476 3452 Vvoice (db18922f81e90d95e69f45ab8e9fc5c1) C:\WINDOWS\system32\DRIVERS\vvoice.sys
2011/02/27 17:06:45.0626 3452 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/27 17:06:45.0877 3452 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/27 17:06:46.0167 3452 wldel48b (c2ba2f3747057d06950a975e9ff50db0) C:\WINDOWS\system32\DRIVERS\wldel48b.sys
2011/02/27 17:06:46.0478 3452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/27 17:06:46.0728 3452 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/27 17:06:46.0928 3452 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/27 17:06:47.0229 3452 ================================================================================
2011/02/27 17:06:47.0229 3452 Scan finished
2011/02/27 17:06:47.0229 3452 ================================================================================
2011/02/27 17:06:47.0279 3444 Detected object count: 1
2011/02/27 17:09:03.0244 3444 \HardDisk0 - will be cured after reboot
2011/02/27 17:09:03.0244 3444 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/27 17:09:40.0558 3424 Deinitialize success
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 10:20 pm

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2/27/2011 5:32:51 PM
mbam-log-2011-02-27 (17-32-51).txt

Scan type: Quick scan
Objects scanned: 168263
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 10:21 pm

DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 17:38:51.42 on Sun 02/27/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.313 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ZoneLabs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ZoneAlarm Client] "c:\program files\zonelabs\zonealarm\zlclient.exe"
uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\f4s0qjsz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-5 64288]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-16 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [2006-12-8 171520]

=============== Created Last 30 ================

2011-02-28 01:18:45 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-02-28 01:17:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-28 01:17:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-28 01:17:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 01:17:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:10:23 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-02-25 04:05:27 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-25 04:01:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-25 03:16:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-25 03:03:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-25 03:03:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-25 02:55:39 -------- d-----w- c:\program files\UWPP
2011-02-25 02:25:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-02-25 01:37:03 -------- d-----w- c:\program files\AVAST Software
2011-02-25 01:37:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-02-24 23:41:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\oCiJlBg08200
2011-02-22 01:35:21 -------- d-----w- C:\dev
2011-02-14 19:01:30 -------- d-----w- c:\program files\MSECache
2011-02-14 18:47:12 24 ----a-w- c:\windows\SW_Win3112X32.DLL
2011-02-12 03:38:53 -------- d-----w- c:\program files\AfterWorld3

==================== Find3M ====================

2011-01-19 00:01:00 1119232 ----a-w- c:\windows\system32\tx16.dll
2011-01-18 13:34:00 582144 ----a-w- c:\windows\system32\tx16_rtf.dll
2011-01-18 12:01:00 155136 ----a-w- c:\windows\system32\tx16_ic.dll
2011-01-18 09:33:00 687104 ----a-w- c:\windows\system32\tx16_pdf.dll
2011-01-17 12:02:00 241664 ----a-w- c:\windows\system32\tx16_tls.dll
2011-01-17 11:05:00 573440 ----a-w- c:\windows\system32\tx16_htm.dll
2011-01-17 10:08:00 435200 ----a-w- c:\windows\system32\tx16_css.dll
2011-01-17 09:20:00 187904 ----a-w- c:\windows\system32\tx16_jpg.flt
2011-01-17 09:12:00 1047552 ----a-w- c:\windows\system32\tx16_dox.dll
2011-01-05 16:54:14 2965504 ----a-w- c:\windows\system32\beconvlib.dll
2011-01-04 05:51:16 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-04 05:51:16 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-23 20:25:44 327680 ----a-w- c:\windows\system32\WordConverterX2.ocx
2010-12-22 13:22:00 706048 ----a-w- c:\windows\system32\tx16_doc.dll
2010-12-15 11:00:00 380928 ----a-w- c:\windows\system32\tx4ole16.ocx
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 17:39:48.07 ===============
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 27th, 2011, 10:24 pm

Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/18/2006 8:59:42 AM
System Uptime: 2/27/2011 5:34:36 PM (0 hours ago)

Motherboard: Dell Computer Corporation | | Latitude C610
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 996/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 13.905 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell TrueMobile 1150 Series Mini PCI Card
Device ID: PCMCIA\DELL-TRUEMOBILE_1150_SERIES_PC_CARD-C043\1
Manufacturer: Dell Corporation
Name: Dell TrueMobile 1150 Series Mini PCI Card
PNP Device ID: PCMCIA\DELL-TRUEMOBILE_1150_SERIES_PC_CARD-C043\1
Service: wldel48b

==== System Restore Points ===================

RP232: 2/1/2011 9:56:01 PM - System Checkpoint
RP233: 2/2/2011 11:08:55 PM - System Checkpoint
RP234: 2/3/2011 11:35:11 PM - System Checkpoint
RP235: 2/4/2011 11:43:16 PM - System Checkpoint
RP236: 2/6/2011 12:26:22 AM - System Checkpoint
RP237: 2/7/2011 12:32:37 AM - System Checkpoint
RP238: 2/8/2011 2:48:48 AM - System Checkpoint
RP239: 2/9/2011 3:49:31 AM - System Checkpoint
RP240: 2/10/2011 4:02:59 AM - System Checkpoint
RP241: 2/11/2011 6:01:54 AM - System Checkpoint
RP242: 2/12/2011 8:02:03 AM - System Checkpoint
RP243: 2/13/2011 8:34:14 AM - System Checkpoint
RP244: 2/14/2011 11:01:55 AM - Installed Compatibility Pack for the 2007 Office system
RP245: 2/15/2011 11:55:04 AM - System Checkpoint
RP246: 2/16/2011 6:32:04 PM - System Checkpoint
RP247: 2/17/2011 10:21:16 PM - System Checkpoint
RP248: 2/18/2011 11:48:10 PM - System Checkpoint
RP249: 2/20/2011 2:18:55 AM - System Checkpoint
RP250: 2/22/2011 10:48:40 PM - System Checkpoint
RP251: 2/23/2011 10:56:34 PM - System Checkpoint
RP252: 2/24/2011 6:55:17 PM - Restore Operation
RP253: 2/24/2011 7:59:59 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP254: 2/24/2011 8:00:18 PM - Installed AVG 2011
RP255: 2/24/2011 8:01:04 PM - Installed AVG 2011
RP256: 2/26/2011 8:38:27 PM - System Checkpoint

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
AfterWorld Alpha
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Compatibility Pack for the 2007 Office system
Convert Doc
DivX Setup
Entropia Universe
ERUNT 1.1j
Final Draft 6
Full Tilt Poker
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Image Resizer Powertoy for Windows XP
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Malwarebytes' Anti-Malware
Masque World Class Poker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB927978)
Nero 7 Essentials
Nero Suite
NET Installation Assistance for VB6 App (Runtime Only)
OpenAL
Opera 10.50
PCTEL 2304WT V.9x MDC Modem Drivers
Poker4ever
PokerStars
PowerDVD 5.7
Safari
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shogun Total War - Battle Trainer Test
Spybot - Search & Destroy
The Unblock Websites Proxy Program (a freeware Websites Proxy P
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
ZoneAlarm

==== Event Viewer Messages From Past Week ========

2/26/2011 2:04:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
2/26/2011 2:04:05 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/25/2011 4:02:29 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\wuweb.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.8.0.2469.
2/24/2011 8:08:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
2/24/2011 8:08:56 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 6:51:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswRdr aswSnx aswSP aswTdi Cinemsup Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip vsdatant
2/24/2011 6:37:17 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/24/2011 6:30:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SMR161.SYS' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/24/2011 6:28:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2011 5:37:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/24/2011 5:30:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/24/2011 5:08:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cinemsup Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip vsdatant
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 5:08:55 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2011 4:36:04 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.
2/24/2011 4:36:04 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 4:35:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
2/24/2011 4:35:39 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2011 4:35:34 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/24/2011 4:35:34 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/24/2011 4:35:34 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/24/2011 3:52:07 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
2/22/2011 1:29:33 PM, error: Dhcp [1002] - The IP address lease 75.141.202.174 for the Network Card with network address 00065BE2E910 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 28th, 2011, 2:48 am

Looking better, but there's still some work to be done.

Before we get to that I need to ask you a question.

Your DDS.txt log says you have AVG11 installed, but I can see no sign of the drivers, files and registry entries that I would expect to see if that were the case. Similarly there is no sign of AVG in your uninstall list in Attach.txt

Do you have an anti-virus installed, because I don't see one, only remnants from what look like failed installations of AVG and Avast.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 28th, 2011, 12:27 pm

Gary,

Thanks for your help thus far. It looks like the infection is gone and we're over the worst of it.

I did have Avast installed then uninstalled it some time ago. After the malware hit I installed AVG and ran a full scan. It didn't find anything yet took up a lot of resouces, so I uninstalled it in safe mode to free up the resouces.

Currently I do not have an anti-virus program running. If you'll suggest what AV program to install, and also what protection software in general I'll install it.

I've left the computer in safe mode after MalwareBytes removed the infection so as to wait for your advice.

Thanks,

John
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 28th, 2011, 12:54 pm

OK John, thanks for letting me know.

Download OTM by Old Timer and save it to your Desktop.

Alternative Download
  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:Files
c:\docume~1\alluse~1\applic~1\AVG10
c:\docume~1\alluse~1\applic~1\AVAST Software
c:\docume~1\alluse~1\applic~1\oCiJlBg08200
c:\docume~1\alluse~1\applic~1\Norton
c:\program files\AVAST Software

:Commands
[EmptyTemp]
[EmptyFlash]

  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM


Next

  • Click Start > Run then type wbemtest.exe into the Open: box, click OK
  • This will launch Windows Management Instrumentation Tester
    • Click on the Connect button.
    • In the box at the top, where it says root\default change it to say root\securitycenter then click Connect
    • Click on Enum Instances
    • In the box that opens, type antivirusproduct and click OK
    • A box will open with a list of the anti-virus programmes that WMI sees on your computer.
      • Click on the one with the CLSID .... {17DDD097-36FF-435F-9E1B-52D74245D6BF} .... to highlight it, then click Delete
      • Click Close to close the Query box.
    • Exit out of Windows Management Instrumentation Tester

    Next

    Please go to Control Panel > Add/Remove Programs and Uninstall the following:

    J2SE Runtime Environment 5.0 Update 6


    Old versions of Java can be exploited.

    Once done reboot your computer.

    Now download and install JDK 6 Update 24 (JDK or JRE).

    Next

    Install an Anti-Virus program.

    It is essential you have one otherwise you will get re-infected in a very short time .... there are links to some free ones HERE

    MSE is fairly light on resources.

    Next

    Please run a scan with ESET Online Scanner

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
    • Please go HERE then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on: Image
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on: Image
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    • Copy and paste that log in your next reply please.
    • Now click on: Image (Selecting Uninstall application on close if you so wish)

    Summary of the logs I need from you in your next post:
    • OTM log
    • E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware