Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Potential spambot problem

Started by solteras88 , Mar 14 2010 01:19 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 14 March 2010 - 01:19 PM

Hi! Thanks so much for looking at my problem. Recently my internet provider quarantined my household because spam was being sent from our ip address. There are three computers in my apartment, one of which is a mac. So most likely this problem is coming one of the two pc's. I think is a good chance that my computer may be the problem. I've run various anti spyware programs such as spybot search and destroy, malwarebytes, adaware and also virus scans (avast and norton) none of which have found anything I think could be sending out the spam. Could someone please help me? Also, although it may be unrelated, my computer doesn't really recognize me as an administrator anymore, I've heard this could be because of norton, but it might also be because of a virus. Another thing I noticed is that my gmer and dss logs are much longer then most of the other forum member's. Could this also be a sign of a virus or am I doing something wrong? Since the logs were so long I tried to add them as attachments, however, the gmer log was so long it wouldn't fit. It's really really long. Is there some way to get around this issue? The .txt file is ~400k. Here's the mbam log: Malwarebytes' Anti-Malware 1.44 Database version: 3850 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 3/10/2010 7:29:27 PM mbam-log-2010-03-10 (19-29-27).txt Scan type: Quick Scan Objects scanned: 132944 Time elapsed: 12 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) The DSS log is attached. I hope you can help me with this problem, if we keep sending out spam our service provider will cut us off permanently.

Attached Files

  • Attached File  DDS2.txt   20.33KB   247 downloads

Edited by solteras88, 14 March 2010 - 01:31 PM.

    Advertisements

Register to Remove

#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 16 March 2010 - 09:22 AM

Hi

run GMER again and make sure the following boxes are UNCHECKED

  • files
  • Sections
  • IAT/EAT
  • Drives/Partition other than the Systemdrive (typically C:\)
  • Show All (don't miss this one)



the log shouldn't be that long

if it is very long again > zip it up and attach it

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 March 2010 - 12:02 PM

I followed your directions and the gmer log was much shorter. Besides 'show all' I had all the other things checked. Here are my mbam, gmer, and dss logs:

Malwarebytes' Anti-Malware 1.44
Database version: 3850
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/10/2010 7:29:27 PM
mbam-log-2010-03-10 (19-29-27).txt

Scan type: Quick Scan
Objects scanned: 132944
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-17 00:53:07
Windows 5.1.2600 Service Pack 2
Running: mejcdbm8.exe; Driver: C:\DOCUME~1\Evan\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT 86B56100 ZwAlertResumeThread
SSDT 86B567E0 ZwAlertThread
SSDT 86C5FF48 ZwAllocateVirtualMemory
SSDT 86B63230 ZwAssignProcessToJobObject
SSDT 86D53880 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF2BD1210]
SSDT 86D7C360 ZwCreateMutant
SSDT 8662F5B0 ZwCreateSymbolicLinkObject
SSDT 86B35DA8 ZwCreateThread
SSDT 86B62E70 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF2BD1490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF2BD19F0]
SSDT 86C896E0 ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey [0xF742FE2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF74301BA]
SSDT 86C1C2A8 ZwFreeVirtualMemory
SSDT 86B55B38 ZwImpersonateAnonymousToken
SSDT 86B55DF0 ZwImpersonateThread
SSDT 8682E220 ZwLoadDriver
SSDT 86B35008 ZwMapViewOfSection
SSDT 86B556E8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xF2BD17A0]
SSDT 86B490D0 ZwOpenProcess
SSDT 8675F168 ZwOpenProcessToken
SSDT 86B60AA8 ZwOpenSection
SSDT 86B2FA98 ZwOpenThread
SSDT 8662FF80 ZwProtectVirtualMemory
SSDT sptd.sys ZwQueryKey [0xF7430292]
SSDT sptd.sys ZwQueryValueKey [0xF7430112]
SSDT 86B57510 ZwResumeThread
SSDT 86B59290 ZwSetContextThread
SSDT 86FCBFC0 ZwSetInformationProcess
SSDT 86B61DD0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF2BD1C40]
SSDT 86B60440 ZwSuspendProcess
SSDT 86B57908 ZwSuspendThread
SSDT 86B9F830 ZwTerminateProcess
SSDT 86B58A50 ZwTerminateThread
SSDT 86B594C8 ZwUnmapViewOfSection
SSDT 86C27B18 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FCF1E8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\USBSTOR \Device\0000009e 867857A0
Device \Driver\USBSTOR \Device\0000009f 867857A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{1125B7C2-3196-4D35-8654-718A3C72CA54} 8679B1E8
Device \Driver\usbuhci \Device\USBPDO-0 86D0B7A0
Device \Driver\usbuhci \Device\USBPDO-1 86D0B7A0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F601E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F601E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F601E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F601E8
Device \Driver\usbuhci \Device\USBPDO-2 86D0B7A0
Device \Driver\usbuhci \Device\USBPDO-3 86D0B7A0
Device \Driver\usbehci \Device\USBPDO-4 86CC84F0
Device \Driver\PCI_NTPNP9278 \Device\00000055 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD11E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD11E8
Device \Driver\Cdrom \Device\CdRom0 86C817A0
Device \Driver\Ftdisk \Device\HarddiskVolume3 86FD11E8
Device \Driver\Cdrom \Device\CdRom1 86C817A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86FD01E8
Device \Driver\atapi \Device\Ide\IdePort0 86FD01E8
Device \Driver\atapi \Device\Ide\IdePort1 86FD01E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86FD01E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8679B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{141F4DAE-D694-47F9-9455-1BBC04A94089} 8679B1E8
Device \Driver\NetBT \Device\NetbiosSmb 8679B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2F752040-547F-43F7-B8CC-0A6922AE2371} 8679B1E8

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 86D0B7A0
Device \Driver\usbuhci \Device\USBFDO-1 86D0B7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B4B1E8
Device \Driver\usbuhci \Device\USBFDO-2 86D0B7A0
Device 86B4B1E8
Device \Driver\usbuhci \Device\USBFDO-3 86D0B7A0
Device \Driver\usbehci \Device\USBFDO-4 86CC84F0
Device \Driver\Ftdisk \Device\FtControl 86FD11E8
Device \Driver\a6kvpwkd \Device\Scsi\a6kvpwkd1 86C59738
Device \Driver\a6kvpwkd \Device\Scsi\a6kvpwkd1Port2Path0Target0Lun0 86C59738
Device 8595B5C8
Device B56761F9

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 85B173A0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5F 0x8B 0xD3 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1F 0x5F 0x3C 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x36 0x8F 0x6B 0xAF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5F 0x8B 0xD3 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1F 0x5F 0x3C 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x36 0x8F 0x6B 0xAF ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DE191883-0715-2F88-B6B9-67D306B77518}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DE191883-0715-2F88-B6B9-67D306B77518}@iakbhjpofgccfboajn 0x6B 0x61 0x70 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DE191883-0715-2F88-B6B9-67D306B77518}@haadblggdcjajdik 0x6B 0x61 0x70 0x6C ...

---- EOF - GMER 1.0.15 ----




DDS (Ver_09-06-26.01) - NTFSx86
Run by Evan at 1:18:13.10 on Sun 03/14/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.416 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Evan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\evan\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\evan\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155936059281
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: {2F752040-547F-43F7-B8CC-0A6922AE2371} = 128.253.180.2
AppInit_DLLs: wxvault.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\evan\applic~1\mozilla\firefox\profiles\fvnbwutr.default\
FF - prefs.js: browser.startup.homepage - hxxps://uportal.cornell.edu/uPortal/render.uP
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\evan\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", "-1");
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); // now unused
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.delay", 50);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\SymDS.sys [2010-2-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\SymEFA.sys [2010-2-27 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-2-27 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\Ironx86.sys [2010-2-27 116272]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccSvcHst.exe [2010-2-27 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\ipsdefs\20100310.001\IDSXpx86.sys [2010-3-10 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100313.021\NAVENG.SYS [2010-3-13 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100313.021\NAVEX15.SYS [2010-3-13 1324720]
RUnknown SASKUTIL;SASKUTIL; [x]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-3-13 709248]

=============== Created Last 30 ================

2010-03-13 14:48 <DIR> --d----- c:\program files\WebEx
2010-03-13 14:45 <DIR> --d----- c:\program files\Linksys
2010-03-13 14:42 709,248 a----r-- c:\windows\system32\drivers\rt2870.sys
2010-03-13 14:42 221,184 a----r-- c:\windows\system32\RaCoInst.dll
2010-03-13 14:42 13,931 a----r-- c:\windows\system32\RaCoInst.dat
2010-03-10 19:12 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-10 19:12 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-03-10 16:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-10 16:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-03-10 16:33 <DIR> --d----- c:\docume~1\evan\applic~1\SUPERAntiSpyware.com
2010-03-10 00:07 <DIR> --d----- c:\program files\CCleaner
2010-03-01 01:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-28 03:50 <DIR> --d----- c:\windows\ServicePackFiles
2010-02-27 22:40 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2010-02-27 22:40 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2010-02-27 22:40 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2010-02-27 22:40 35,328 -------- c:\windows\system32\dllcache\sc.exe
2010-02-27 22:40 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2010-02-27 22:40 110,592 -------- c:\windows\system32\dllcache\services.exe
2010-02-27 22:40 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2010-02-27 22:40 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-27 22:40 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-27 22:40 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2010-02-27 22:40 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2010-02-27 22:31 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2010-02-27 22:29 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2010-02-27 18:44 95,024 a------- c:\windows\system32\drivers\SBREDrv.sys
2010-02-27 18:39 <DIR> --d----- c:\program files\Lavasoft
2010-02-27 18:29 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2010-02-27 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-27 18:24 <DIR> --d----- c:\docume~1\evan\applic~1\Malwarebytes
2010-02-27 18:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-27 18:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 01:39 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-27 01:39 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2010-02-27 01:39 7,443 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-27 01:39 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-27 01:38 <DIR> --d----- c:\windows\system32\drivers\NAV
2010-02-27 01:38 <DIR> --d----- c:\program files\Norton AntiVirus
2010-02-27 01:38 <DIR> --d----- c:\program files\NortonInstaller
2010-02-27 01:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-27 01:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

==================== Find3M ====================

2010-03-10 00:28 11,242 a------- c:\windows\system32\nvModes.dat
2010-01-14 04:57 55,172 a---h--- c:\windows\system32\mlfcache.dat
2009-12-31 11:14 352,640 -------- c:\windows\system32\dllcache\srv.sys
2009-12-16 07:58 343,040 a------- c:\windows\system32\mspaint.exe
2009-12-16 07:58 343,040 -------- c:\windows\system32\dllcache\mspaint.exe
2009-12-16 07:57 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-12-14 02:35 33,280 a------- c:\windows\system32\csrsrv.dll
2009-12-14 02:35 33,280 -------- c:\windows\system32\dllcache\csrsrv.dll

============= FINISH: 1:19:27.01 ===============


Thanks so much. Hopefully the spam problem can be resolved otherwise I don't really know what I'm going to do.

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 17 March 2010 - 12:23 PM

Hi,

Everyone in your house hold needs to change their passwords for all their online accounts - all your email, IM, Social networking sites etc.

Was your ISP more specific about the spam...was it through emails or IM...if so, your email credentials could have been hacked rather than any of the computers infected, the same could happen for, Facebook, MySpace etc. If one of you unknowingly filled out a 'fake form' for something.


Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 17 March 2010 - 10:15 PM

Hi,

Our ISP told us that spam was being sent from our IP address via email. If our email credentials were hacked would the spam still be sent from our IP address? I ran combofix, here is the log:

ComboFix 10-03-17.06 - Evan 03/17/2010 23:58:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.489 [GMT -4:00]
Running from: c:\documents and settings\Evan\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Evan\Local Settings\Tempals_inst.exe
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-18 03:20 . 2010-02-26 06:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\NAVENG.SYS
2010-03-18 03:20 . 2010-02-26 06:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\NAVENG32.DLL
2010-03-18 03:20 . 2010-02-26 06:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\NAVEX32A.DLL
2010-03-18 03:20 . 2010-02-26 06:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\NAVEX15.SYS
2010-03-18 03:20 . 2010-02-26 06:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\EECTRL.SYS
2010-03-18 03:20 . 2010-02-26 06:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\CCERASER.DLL
2010-03-18 03:20 . 2010-02-26 06:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\ECMSVR32.DLL
2010-03-18 03:20 . 2010-02-26 06:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100317.021\ERASER.SYS
2010-03-14 23:54 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\Scxpx86.dll
2010-03-14 23:54 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\IDSXpx86.sys
2010-03-14 23:54 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\IDSxpx86.dll
2010-03-14 23:54 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\IDSvix86.sys
2010-03-14 23:54 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\IDSviA64.sys
2010-03-13 19:48 . 2010-03-13 19:48 -------- d-----w- c:\program files\WebEx
2010-03-13 19:45 . 2010-03-13 20:26 -------- d-----w- c:\program files\Linksys
2010-03-13 19:42 . 2009-05-14 01:40 709248 ----a-r- c:\windows\system32\drivers\rt2870.sys
2010-03-13 19:42 . 2009-05-14 01:40 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2010-03-13 19:42 . 2009-05-14 01:40 13931 ----a-r- c:\windows\system32\RaCoInst.dat
2010-03-11 03:48 . 2010-03-11 03:48 -------- d-----w- c:\program files\ERUNT
2010-03-11 00:12 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 00:12 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 23:44 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-10 23:44 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-10 23:44 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-10 23:44 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-10 23:44 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-10 21:33 . 2010-03-10 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-10 21:33 . 2010-03-13 20:35 -------- d-----w- c:\documents and settings\Evan\Application Data\SUPERAntiSpyware.com
2010-03-10 21:33 . 2010-03-13 20:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-10 05:07 . 2010-03-10 05:07 -------- d-----w- c:\program files\CCleaner
2010-03-01 06:18 . 2010-03-01 06:18 -------- d-----w- c:\program files\Alwil Software
2010-03-01 06:18 . 2010-03-01 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-28 08:50 . 2010-02-28 08:50 -------- d-----w- c:\windows\ServicePackFiles
2010-02-28 03:40 . 2009-10-15 17:21 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-02-28 03:40 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2010-02-28 03:40 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2010-02-28 03:40 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2010-02-28 03:40 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-02-28 03:40 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-02-28 03:40 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-02-28 03:40 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-28 03:40 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-28 03:40 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-02-28 03:40 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-02-28 03:31 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2010-02-28 03:29 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-02-27 23:44 . 2010-02-27 23:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-27 23:39 . 2010-03-08 04:45 -------- d-----w- c:\program files\Lavasoft
2010-02-27 23:39 . 2010-03-08 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-27 23:29 . 2010-03-10 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-27 23:29 . 2010-03-10 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 23:24 . 2010-02-27 23:24 -------- d-----w- c:\documents and settings\Evan\Application Data\Malwarebytes
2010-02-27 23:24 . 2010-02-27 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 23:24 . 2010-03-11 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 06:43 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-27 06:43 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-27 06:43 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-27 06:43 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-27 06:43 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-27 06:39 . 2009-11-17 00:51 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-02-27 06:39 . 2010-02-27 06:39 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-27 06:39 . 2010-02-27 06:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-27 06:38 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-02-27 06:38 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-02-27 06:38 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-02-27 06:38 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-02-27 06:38 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-02-27 06:38 . 2009-12-08 02:20 965488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\OCS\hsplayer.dll
2010-02-27 06:38 . 2009-12-17 06:46 892784 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\CLT\cltLMSx.dll
2010-02-27 06:38 . 2010-02-27 06:38 -------- d-----w- c:\windows\system32\drivers\NAV
2010-02-27 06:38 . 2010-02-27 06:38 -------- d-----w- c:\program files\Norton AntiVirus
2010-02-27 06:38 . 2010-02-27 06:38 -------- d-----w- c:\program files\Windows Sidebar
2010-02-27 06:38 . 2010-02-27 06:38 -------- d-----w- c:\program files\NortonInstaller
2010-02-27 06:08 . 2010-02-27 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-27 06:04 . 2010-02-27 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 16:47 . 2006-08-18 23:46 68720 -c--a-w- c:\documents and settings\Evan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 20:49 . 2006-07-26 16:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 19:47 . 2010-03-13 19:47 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-03-12 04:57 . 2008-05-31 08:06 -------- d-----w- c:\documents and settings\Evan\Application Data\uTorrent
2010-03-10 16:22 . 2006-07-26 16:31 -------- d-----w- c:\program files\Google
2010-03-10 05:28 . 2006-07-26 16:10 11242 ----a-w- c:\windows\system32\nvModes.dat
2010-03-10 04:34 . 2007-01-17 07:41 -------- d-----w- c:\documents and settings\Evan\Application Data\Viewpoint
2010-03-10 04:34 . 2006-11-17 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-10 04:34 . 2006-11-17 23:01 -------- d-----w- c:\program files\Viewpoint
2010-03-08 04:55 . 2006-09-13 01:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 19:30 . 2006-09-28 23:17 -------- d-----w- c:\program files\Diablo II
2010-03-02 04:55 . 2008-06-07 04:58 -------- d-----w- c:\program files\Panda Security
2010-02-27 23:25 . 2006-08-30 04:04 -------- d-----w- c:\program files\Trillian
2010-02-27 07:28 . 2006-08-18 21:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-27 06:39 . 2010-02-27 06:39 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-27 06:39 . 2010-02-27 06:39 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-27 06:39 . 2006-08-18 21:26 -------- d-----w- c:\program files\Symantec
2010-02-27 06:26 . 2006-08-18 21:26 -------- d-----w- c:\program files\Symantec Client Security
2010-02-27 06:26 . 2006-08-18 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-27 06:25 . 2006-08-18 21:27 40 ----a-w- c:\windows\system32\profile.dat
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-01-23 18:35 . 2009-10-08 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-23 07:27 . 2010-01-23 07:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 07:26 . 2010-01-23 07:26 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-14 09:57 . 2010-01-14 09:57 55172 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:14 . 2006-07-26 16:05 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-11 22:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\Evan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-26 135664]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Rosetta Stone V3 - Japanese\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"e:\\Rosetta Stone V3 - Japanese\\RosettaStoneVersion3.exe"=
"e:\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SymDS.sys [2/27/2010 2:38 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SymEFA.sys [2/27/2010 2:38 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 2:44 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\cchpx86.sys [2/27/2010 2:38 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.sys [2/27/2010 2:38 AM 116272]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe [2/27/2010 2:38 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2010 2:42 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100312.001\IDSXpx86.sys [3/14/2010 7:54 PM 329592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/1/2007 2:25 PM 682232]
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-651586626-2733162600-4134146358-1005Core.job
- c:\documents and settings\Evan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 23:13]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-651586626-2733162600-4134146358-1005UA.job
- c:\documents and settings\Evan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 23:13]

2006-08-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-08-18 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {2F752040-547F-43F7-B8CC-0A6922AE2371} = 128.253.180.2
FF - ProfilePath - c:\documents and settings\Evan\Application Data\Mozilla\Firefox\Profiles\fvnbwutr.default\
FF - prefs.js: browser.startup.homepage - hxxps://uportal.cornell.edu/uPortal/render.uP
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Evan\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
Notify-NavLogon - (no file)
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-Steam App 240 - c:\progra~1\Steam\steam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 00:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-651586626-2733162600-4134146358-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DE191883-0715-2F88-B6B9-67D306B77518}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakbhjpofgccfboajn"=hex:6b,61,70,6c,65,6c,6b,61,6c,63,67,6f,67,67,6c,6d,6e,70,
6a,67,63,69,00,00
"haadblggdcjajdik"=hex:6b,61,70,6c,65,6c,6b,61,6c,63,66,6f,6e,66,6f,66,65,6c,
66,61,6e,66,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-03-18 00:06:44
ComboFix-quarantined-files.txt 2010-03-18 04:06

Pre-Run: 2,201,837,568 bytes free
Post-Run: 5,730,099,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7C191975A77223A43EE6EB0FFA5D0667

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 18 March 2010 - 05:55 AM

Hi,

Please do the following:




  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 18 March 2010 - 07:43 PM

Here's the new MBAM log: Malwarebytes' Anti-Malware 1.44 Database version: 3882 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 3/18/2010 12:06:22 PM mbam-log-2010-03-18 (12-06-22).txt Scan type: Quick Scan Objects scanned: 132341 Time elapsed: 6 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here's the Kaspersky scan log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, March 18, 2010 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, March 18, 2010 13:12:25 Records in database: 3815150 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Objects scanned: 242550 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 08:21:00 File name / Threat / Threats count C:\Documents and Settings\Evan\Desktop\MGtools.exe Infected: Trojan-Dropper.Win32.Agent.bsvq 1 Selected area has been scanned.

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 18 March 2010 - 09:05 PM

Hi,

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version 9.3)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Is you ISP still stating emails are being sent from your IP address?

to check for traffic - do the following:


Download TcpView.zip and save it to your desktop

Double-click tcpview.zip to extract the file. Double-click the TcpView.exe icon in the extracted files folder. This opens an Open File confirmation window.

Make sure you have no open browsers, or other programs connected to the internet (IM etc) while you run the program,

Click "Run" in the Open File window, then click "Accept" to accept the license agreement. This opens the TCPView user interface.

Examine the list of software applications and ports displayed in the TCPView window.

TCPView displays all processes accessing IP ports, both TCP and UDP, and the local and remote addresses of each port.

Write down the information if you see anything running.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 19 March 2010 - 01:32 PM

Hi, I have the new Java installed. I'm going to try to get my internet connection unquarantined today or tomorrow. I have a few questions before that, is it possible that the trojan that the kaspersky scan found caused the spam? Also, if I can get my ISP to unquarantine my connection, how long do I need to keep my computer online to see if the TCPview is working? Thanks for your help!

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 19 March 2010 - 01:44 PM

Hi,

The file Kaspersky found is a false positive

C:\Documents and Settings\Evan\Desktop\MGtools.exe

these are the tools that you are required to download and run as a member of Major Geeks Forum (confirm you joined)

this wouldn't have had anything to do with the issue at all.

how long do I need to keep my computer online to see if the TCPview is working


unfortunately, I can't answer that, if your ISP can give you information as to when this activity is happening...if it is 24/7 then you will see activity immediately, if it happened once, it may have just been an isolated incident and you wont see any activity at all.

I'll have you clean up the tools we have used for now:

check with the TCPView..if there is activity let me know, or if your ISP can provide further info let me know:


Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image



NEXT


Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

If any logs/tools remain on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox, IE and chrome.

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#11 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 21 March 2010 - 10:22 AM

Hi, I ran TCPview with my browser closed and this is what I found. Occasionally something will highlight red or green but that always lasts less then a second. Other then that, all the entries are not colored. If I'm spamming, will something become highlighted and remain that way? AppleMobileDeviceService.exe:420 TCP YIS:27015 localhost:1037 ESTABLISHED AppleMobileDeviceService.exe:420 TCP YIS:27015 YIS:0 LISTENING ccSvcHst.exe:784 TCP yis:1176 ar03sa01.ar03.crsi.symantec.com:https ESTABLISHED ccSvcHst.exe:784 TCP YIS:1036 YIS:0 LISTENING iTunesHelper.exe:2924 TCP YIS:1037 localhost:27015 ESTABLISHED jqs.exe:624 TCP YIS:5152 localhost:1045 CLOSE_WAIT jqs.exe:624 TCP YIS:5152 YIS:0 LISTENING jusched.exe:3160 TCP yis:1077 24.143.200.16:http CLOSE_WAIT lsass.exe:1084 UDP YIS:isakmp *:* lsass.exe:1084 UDP YIS:4500 *:* mDNSResponder.exe:436 TCP YIS:5354 YIS:0 LISTENING mDNSResponder.exe:436 UDP yis:5353 *:* mDNSResponder.exe:436 UDP yis:5353 *:* mDNSResponder.exe:436 UDP YIS:56418 *:* mDNSResponder.exe:436 UDP YIS:1025 *:* svchost.exe:1328 TCP YIS:epmap YIS:0 LISTENING svchost.exe:1420 UDP yis:ntp *:* svchost.exe:1420 UDP yis:ntp *:* svchost.exe:1420 UDP YIS:ntp *:* svchost.exe:1420 UDP YIS:1027 *:* svchost.exe:1628 UDP yis:1900 *:* svchost.exe:1628 UDP yis:1900 *:* svchost.exe:1628 UDP YIS:1900 *:* System:4 TCP YIS:microsoft-ds YIS:0 LISTENING System:4 TCP yis:netbios-ssn YIS:0 LISTENING System:4 TCP yis:netbios-ssn YIS:0 LISTENING System:4 UDP yis:netbios-ns *:* System:4 UDP yis:netbios-ns *:* System:4 UDP yis:netbios-dgm *:* System:4 UDP YIS:microsoft-ds *:* System:4 UDP yis:netbios-dgm *:* tcsd_win32.exe:1708 TCP YIS:10001 YIS:0 LISTENING

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 March 2010 - 11:58 AM

No, not necessarily. If you were spamming I would expect to see a suspicious entry with an "ESTABLISHED" connection: The only items with established connections are AppleMobileDeviceService, symantec and iTunesHelper. Was your ISP able to provide any further information? Have all of you in the household changed all your on line passwords for everything, as that will be your best protection against something like this. Change your passwords every few months and be very careful what you fill out with your credentials.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#13 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 21 March 2010 - 01:22 PM

No I didn't get much of an answer from my ISP. They unquarantined us on their own since we haven't been using their connection for a while. I'm going to get my housemates to change their passwords though. Hopefully that will solve the problem. Two things happened. Just recently Norton flagged 'iexplore.exe' have you ever heard of it? I read somewhere that sometimes it's a virus. Also, on TCP view, these processes have popped up: [System Process]:0 TCP yis:1830 ord-agg-n10.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1805 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1808 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1823 64.151.113.26.servepath.com:http TIME_WAIT [System Process]:0 TCP yis:1795 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1799 static-209-18-39-131.nyc20.tbone.rr.com:http TIME_WAIT [System Process]:0 TCP yis:1803 static-209-18-39-98.nyc20.tbone.rr.com:http TIME_WAIT [System Process]:0 TCP yis:1801 static-209-18-39-131.nyc20.tbone.rr.com:http TIME_WAIT [System Process]:0 TCP yis:1833 ord-agg-n43.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1837 ord-agg-n43.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1840 ord-agg-n21.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1843 ord-agg-n21.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1838 ord-agg-n43.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1839 ord-agg-n43.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1849 www-11-02.snc4.facebook.com:http TIME_WAIT [System Process]:0 TCP yis:1834 ord-agg-n43.panthercdn.com:http TIME_WAIT [System Process]:0 TCP yis:1851 api-connect-10-01-snc2.facebook.com:http TIME_WAIT [System Process]:0 TCP yis:1807 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1809 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1850 72.21.202.192:http TIME_WAIT [System Process]:0 TCP yis:1796 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1797 64.211.144.171:http TIME_WAIT [System Process]:0 TCP yis:1858 yo-in-f101.1e100.net:http TIME_WAIT [System Process]:0 TCP yis:1804 65.55.57.252:http TIME_WAIT [System Process]:0 TCP yis:1846 js-pd03.revsci.net:http TIME_WAIT [System Process]:0 TCP yis:1877 upload.pmtpa.wikimedia.org:http TIME_WAIT [System Process]:0 TCP yis:1875 upload.pmtpa.wikimedia.org:http TIME_WAIT [System Process]:0 TCP yis:1802 static-209-18-39-88.nyc20.tbone.rr.com:http TIME_WAIT [System Process]:0 TCP yis:1793 207.46.172.252:http TIME_WAIT [System Process]:0 TCP yis:1812 207.46.172.252:http TIME_WAIT [System Process]:0 TCP yis:1813 207.46.172.252:http TIME_WAIT [System Process]:0 TCP yis:1798 207.46.172.252:http TIME_WAIT [System Process]:0 TCP yis:1814 207.46.172.252:http TIME_WAIT [System Process]:0 TCP yis:1815 207.46.172.252:http TIME_WAIT They aren't established, but since they weren't there before I thought I should tell you. I think my computer is just lagging, but I'd like to be cautious. Thanks for all your help!

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 March 2010 - 01:33 PM

Hi, Those all appear to be legitimate domains. Report that to your ISP, as they will be the one's determine if there is anything of concern to them there, but it appears OK to me. This may just have been an isolated incident, one that we wont be able to uncover, As long as the passwords are changed, you should be OK from here on in.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#15 solteras88

solteras88

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 25 March 2010 - 08:18 PM

Hi I had all my housemates change their passwords. I'm not sure if the problem has fixed but there our internet is still working so maybe it's fixed. Thank you so much for all your help. I really appreciate it. :notworthy:

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·