Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92379 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Help with Firefox/Java infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 redofromstart

redofromstart

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 11 November 2009 - 02:51 PM

Hello, new to the forum, was hoping somebody could help. A couple of days ago, I had a warning from Avast about a file named xa.tmp. I found the file, scanned with Spybot, Zone Alarm and Avast but they found nothing. I then scanned with Malware Bytes and it seemed to remove the problem, but today I keep getting Firefox opening new windows, seemingly connected to google searches, which have about 4 tabs with broken links and one tab that tries to connect to Link Removed Also Zone Alarm gives frequent warnings (about once an hour) that Java Quick Starter Binary is trying to access the internet. I have denied these access attempts. From some Google research, I think it's possible I have a serious problem, please help! I have done full scans with Spybot, Zone Alarm, Avast and Malware Bytes and they all came up clean, but the problem persists. Any and all help greatly appreciated! Edit: just saw the "Welcome New Members" section, apologies for terrible noobishness... Here's the RootRepeal log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/11 22:15 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAD9F2000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b556b8 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b55574 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0c4dde0 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b55a52 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b5514c #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0c4de60 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b5564e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b5508c #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b550f0 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b5576e #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0c4df10 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b5572e #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0b558ae ==EOF== And the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by E at 22:08:12.03 on 11/11/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.270 [GMT 1:00] AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} AV: avast! antivirus 4.8.1356 [VPS 091111-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\Prismsta.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\T-COM\T-COM WLAN Manager T-Sinus 154card\Installer\WINXP\DT11GMonitor.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Documents and Settings\E\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [T-Online_Software_5\WLAN-Access Finder] c:\program files\t-online\wlan-access finder\ToWLaAcF.exe /StartMinimized uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [Prism_Utility] Prismsta.exe mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500" mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [Auto EPSON Stylus Photo RX500 on COMPAQ] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2k1.exe /p39 "auto epson stylus photo rx500 on compaq" /o17 "\\compaq\Printer1" /M "Stylus Photo RX500" mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\t-comw~1.lnk - c:\program files\t-com\t-com wlan manager t-sinus 154card\installer\winxp\DT11GMonitor.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\windows\system32\zonelabs\vetredir.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\e\applic~1\mozilla\firefox\profiles\eph6e9dq.default\ FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=googlemail FF - plugin: c:\documents and settings\e\application data\mozilla\firefox\profiles\eph6e9dq.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-6 114768] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-5-17 21605] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-5-17 15668] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-5-17 114856] R1 VETMONNT;VET File and Macro Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-5-17 896472] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-5-17 278416] R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-6 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-10-6 138680] R2 CAISafe;CA ISafe;c:\windows\system32\zonelabs\isafe.exe [2008-5-17 184320] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-6 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-10-6 352920] R3 TDSLAdapter;T-DSL-Adapter (T-Online);c:\windows\system32\drivers\TDSLAdap.sys [2007-12-1 47616] R3 TS154_CB;T-Sinus 154card Driver;c:\windows\system32\drivers\TS154ICB.sys [2004-1-14 381856] R3 w32n5223;w32n5223 Protocol Driver;c:\progra~1\t-com\t-comw~1\instal~1\winxp\w32n5223.SYS [2003-5-12 15104] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2002-8-29 14336] S3 SiSCom;SISCom_Com;\??\d:\driver\sim2000\vga\xp-2000_ver.6.14.10.3590\utildll\siscom.sys --> d:\driver\sim2000\vga\xp-2000_ver.6.14.10.3590\utildll\SiSCom.sys [?] S3 TDSLProtocol;T-DSL-Protocol (T-Online);c:\windows\system32\drivers\TDSLProt.sys [2007-12-1 6688] =============== Created Last 30 ================ 2009-11-09 19:51 <DIR> --d----- c:\docume~1\e\applic~1\Malwarebytes 2009-11-09 19:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-09 19:51 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-11-09 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-09 19:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-11-09 19:09 <DIR> --d----- c:\program files\FLAC 2009-11-09 19:01 <DIR> --d----- c:\docume~1\e\applic~1\Any Audio Converter 2009-11-08 19:29 <DIR> --d----- c:\windows\system32\appmgmt 2009-11-08 14:55 <DIR> --d----- c:\docume~1\e\applic~1\TVU Networks 2009-11-08 14:55 <DIR> --d----- c:\program files\TVUPlayer 2009-11-07 20:54 <DIR> --d----- c:\program files\VideoLAN 2009-11-05 15:47 <DIR> --d----- c:\program files\uTorrent 2009-11-05 15:46 <DIR> --d----- c:\docume~1\e\applic~1\uTorrent 2009-11-04 09:05 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-11-02 07:14 <DIR> --d----- c:\windows\pss 2009-10-24 17:41 <DIR> --d----- c:\program files\Veetle 2009-10-24 13:31 <DIR> --d----- c:\docume~1\e\applic~1\StreamTorrent 2009-10-24 13:31 <DIR> --d----- c:\program files\StreamTorrent 1.0 2009-10-14 10:24 <DIR> --d----- c:\program files\common files\Macrovision Shared ==================== Find3M ==================== 2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll 2009-09-15 15:44 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-29 08:36 832,512 a------- c:\windows\system32\wininet.dll 2009-08-29 08:36 78,336 a------- c:\windows\system32\ieencode.dll 2009-08-29 08:36 17,408 -------- c:\windows\system32\corpol.dll 2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll 2004-05-10 17:43 62,865 a------- c:\windows\inf\im\odysseyIM3.sys 2004-05-10 17:43 45,056 a------- c:\windows\inf\im\imdinst.exe 2004-05-10 17:43 12,739 a------- c:\windows\inf\im\odNetInstall.dll ============= FINISH: 22:11:28.44 ===============

Attached Files


Edited by LDTate, 14 November 2009 - 04:40 PM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 14 November 2009 - 04:41 PM

Posted Image


DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 redofromstart

redofromstart

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 16 November 2009 - 08:40 AM

Hi LDTate, thanks for the reply. I ran ATF cleaner and let it remove the files. Then I downloaded Combofix to my desktop and ran it. It ran for about 5 minutes and got to where it said "Attempting to set new restore point", then I got BSOD. The stop message on the blue screen said: 0x0000007E (0xC0000005, 0x804D9A69, 0xF7B4A67C, 0xF7B4A378) I turned the machine off and rebooted, and got the screen asking me if I wanted to start Windows in safe mode. I went for safe mode with networking, it loaded for about 20 seconds and then gave me another BSOD with the following stop message: 0x0000007E (0xC0000005, 0x804D9A69, 0xF7B5267C, 0xF7B52378) I have tried rebooting several times now, in safe mode and also using the last good configuration (and normally) and only get as far as the black "Windows is loading" screen, then just as it should go to the blue "welcome" screen, I get BSOD. The second stop message is now recurring. I am posting this from another machine as the affected computer is inoperable. Please help!!

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 16 November 2009 - 11:28 AM

Did you install the Recovery Console?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 redofromstart

redofromstart

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 16 November 2009 - 12:33 PM

Nope, :smack: tried a couple of days ago but nothing happened the first couple of times so I gave up. I was hoping Combifix would do it but it didn't get that far. Not looking good, is it?

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 16 November 2009 - 03:43 PM

Don't give up yet. Do you have your windows CD? Did you run MBAM before I posted? If so, what did it show if you remember?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 redofromstart

redofromstart

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 16 November 2009 - 04:59 PM

I have my Windows cd somewhere, though it might take a day or so to dig it out as I haven't used it in so long. Not giving up yet; I have the most important stuff backed up but there's plenty on the hard drive it would be a real pain to lose. I ran MBAM and it said it had removed one infected file and I couldn't find xa.tmp so I thought that was that, but I had the same problem afterwards. I don't remember exactly what it reported though and have no log.

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 16 November 2009 - 05:07 PM

If booting from Windows Install disc:
Now I need you to find your original Windows installation CD then follow the directions below:

1. Inset your Windows Install disc to boot from CD.
Note: if you cannot boot from the CD, go into your BIOS and set the computer to boot from CD first
2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.


-------------------------------

This is what the user will see as they go through the steps above:


Posted Image


Posted Image


Posted Image


Posted Image


Posted Image

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 redofromstart

redofromstart

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 17 November 2009 - 11:45 AM

Ok, I ran the recovery console from my Windows cd and got as far as the erdnt\subs command, but it just told me that the file or folder could not be found. I then tried cd erdnt\hiv-backup, which worked and copied 10 files and went to the prompt where I typed "exit". However, when the computer restarted it again went to the screen which asks if you want to start in safe mode. When I selected "start Windows normally", I again got BSOD but with a new stop message: 0x0000007E, (0XC0000005, 0X804D9A69, 0XF7B7167C, 0XF7B71378) One thing I did notice is that when I try to start Windows in safe mode it begins to load and gets as far as System32\Drivers\Mup.sys, then after about 20 seconds the computer tries to reboot, coming back to the startup selection screen. Normal mode always gives BSOD.

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 17 November 2009 - 07:04 PM

System32\Drivers\Mup.sys. That's the last driver / file windows loads.

Only thing I can think of now would be a repair install of windows.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 26 November 2009 - 05:36 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users