bump I read "read this" and have IESiteBlocker.NavFilte

View previous topic View next topic Go down

bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Sat Jul 25, 2009 3:06 pm

was able to install hijack this and run the scan - I see something called wormradar.com (IEsiteblocker) in the log..... trying to figure out a way to get whole logfile off pc since usb drives have been disabled....



My browsers have been hijacked, and possibly my usb drives. In addition, it may have tried to spread over my wireless connection (have an apple express modem), so I've disconnected that and have another (non infected) pc cabled directly into the modem.

So... I'm not sure what I have and the sick pc (running xp pro) can't get to the internet (can't ping anything either). Last night my virus protection jumped up and said something was trying to install and that it had been quarantined, so I thought I was safe. I didn't make note of the name (it was mal something and some kind of trojan) and now the virus protection navigation has been disabled too (can't view anything there).

I'm creating a cd with some tools on it to try to load that to the sick pc.

Will you still be able to help me if I can get the windows, java, adobe reader etc updates done on the sick pc ? Even though the pc seems to be unable to connect to the internet?

Thanks in advance
skhpa


Last edited by skhpa101 on Wed Jul 29, 2009 2:03 pm; edited 5 times in total (Reason for editing : bump)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Sat Jul 25, 2009 7:40 pm

The IESiteBlocker is AVG8, harmless.

If you can't update Java/Adobe, skip them and see if Hijack This will run. Even the basics will help us.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Sun Jul 26, 2009 12:39 am

ok, thanks. have to figure out a way to get the HJT log off (usb drives aren't responding). have an old floppy drive somewhere.... will post again tomorrow

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

bump - Partial HiJack This LogFile

Post by skhpa101 on Sun Jul 26, 2009 9:39 pm

Anybody out there ? Is this partial (retyped) logfile any help ? I really need to get this pc fixed - I work from home and it's monday morning.... help!

OK... can't get the floppy drive to work either so I HAVE TYPED LOGFILE HERE - PLEASE dont be mad at me for not typing the whole thing - did not type processes that I recognized, like logmein, quickbooks etc and the entries that end in .... looked pretty harmless - Cannot get pc on line and cannot use any drives (usb floppy etc)

sorry - there may be some typos... what a pita....

logfile of trend micro hijack this v2.0.2
scan saved at 4:44:01 pm, on 7/26/09
platform: windows xp sp2 (winnt 5.01.2600)
msie: internet explorer v7.00(7.00.6000.16850)
boot mode: normal

Running processes:
C:\ WINDOWS\System32\smss.exe
C:\ WINDOWS\System32\winlogin.exe
C:\ WINDOWS\System32\services.exe
C:\ WINDOWS\System32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\ WINDOWS\System32\svchost.exe
C:\ WINDOWS\System32\svchost.exe
C:\ WINDOWS\System32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\.Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMax\SMAgent.exe

R0 - HKCU\Softwre\microsoft\Internet Explorer\main, start page=http://www.makerent.com
R1 - HKLM\software\microsoft\internet explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\software\microsoft\internet explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=54896
R1 - HKLM\software\microsoft\internet explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=54896
R0 - HKLM\software\microsoft\internet explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\software\microsoft\windows\currentversion\internet settings.proxyoverride =*.local
R3 - urlsearchhook: wisdom-soft toolbar...
O2 - BHO: Adobe pdf readerlink helper...
O2 - BHO - skype addon (mastermind)...
O2 - BHO: realplayer dowload and record...
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}- C:\Program Files\AVG\AVG8\avggssie.dll
O2 - BHO: SVHelper Class - {...} - C:\Program Files|Java...
O2 - BHO:Google Toolbar Notifier...
O4 - HKLM\..\Run: [logmein gui]...
O4 - HKLM\..\Run: [avg8_tray]...
O4 - HKLM\..\Run: [quicktime task]...
O4 - HKLM\..\Run: [tkbellexe]...
O4 - HKLM\..\Run: [airlink101 wlan monitor]...
O4 - HKLM\..\Run: [aniwzcs2servig.exe]...
O4 - HKLM\..\Run: [spysweeper]...
O4 - HKLM\..\Run: [ctfmon.exe]...
O4 - HKLM\..\Run: [h/pc connection agent] ... activesync...
O8 - extra context menu item: E&xport to Microsoft Excel -
[You must be registered and logged in to see this link.]
O9 - extra button (no name) - {2eaf5bb2-07of-11d3-9307-00c04fae2d4f} -
c:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - extra button (no name) - [08b0e5c0-4cb-11cf-aaa5-00401c608501} - c:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - extra button (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583 } -
c:\windows\network diagnostic\xpnetdiag.exe
020 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
020 - Init_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL


Last edited by skhpa101 on Mon Jul 27, 2009 3:15 pm; edited 7 times in total (Reason for editing : typing in more logfile entries)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

bump?

Post by skhpa101 on Mon Jul 27, 2009 1:46 pm

can anyone help me with this? I'm in deep yogurt and gotta find some help somewhere today. if the partial logfile is a problem, plz let me know. i'm willing to do a donation.......... do i need to do that first ? I work from home and can't wait much longer. will have to pack up this bad boy and take it somewhere....

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Mon Jul 27, 2009 3:54 pm

Hello.
Please post a full log, do not edit the lines, otherwise I can't help.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

typed in the logfile

Post by skhpa101 on Mon Jul 27, 2009 5:49 pm

omg... i had to TYPE the entire logfile to post it here since can't get pc online...
tried to be accurate and proof read ... what a pita....

Logfile of Trend Micro HiJackThis v2.0.2
Scan saved at 12:08:57 pm, on 7/27/09
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v7.00(7.00.6000.16850)
Boot mode: ormal

Running processes:
C:\ WINDOWS\System32\smss.exe
C:\ WINDOWS\System32\winlogin.exe
C:\ WINDOWS\System32\services.exe
C:\ WINDOWS\System32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\ WINDOWS\System32\svchost.exe
C:\ WINDOWS\System32\svchost.exe
C:\ WINDOWS\System32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\.Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMac\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exeI
C:\Program Files\Microsoft Activesync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\ WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Upddate_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWs\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Softwre\Microsoft\Internet Explorer\main, start page=http://www.makerent.com
R1 - HKLM\Software\microsoft\Internet Explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\Software\microsoft\Internet Explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=54896
R1 - HKLM\Software\microsoft\Internet Explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=54896
R0 - HKLM\Software\microsoft\Internet Explorer\main, default_page_url=http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKCU\Software\Microsoft\Windows\Currentersion|Internet Settins,ProxyOverride = *.local
R3 - urlsearchhook: wisdom-soft toolbar - {6dfc55bb-bffff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbwis1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO - Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Common
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - }3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avggssie.dll
O2 - BHO: Wisdom-soft Toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWis1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462c-B6EB-D4DAF1D92D43} - C:\Program Files\java\jre1.6.0_07\bin\ssv.dll
O2 - BHO:Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.1.1.1309.3572\swg.dll
O2 - BHO: Wisdom-soft Toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWis1.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSysTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TKBellExe] "C:\Program Files\Common Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe"/ startintray
O4 - HKLM\..\Run: [ctfmon.exe] "C:WINDOWS\system32\ctfmon.exe"
O4 - HKLM\..\Run: [H\PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKLM\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button (no name) - [08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools" menuitem: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.dll
O9 - Extra button: Real.com {CD67F990-D8E9-11d2-98FE-00C0F0328AFE} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583 } - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
015 - Trusted Zone: [You must be registered and logged in to see this link.]
015 - Trusted Zone: [You must be registered and logged in to see this link.]
016 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFomTheWeb ActiveX Control) -
[You must be registered and logged in to see this link.]
016 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class0 -
[You must be registered and logged in to see this link.]
016 - DPF: {D27CDB6E-AE6D11CF-96B8-444553540000} (Shockwave Flash Object) -
[You must be registered and logged in to see this link.]
016 - DPF: {FD0B6769-6490-$a91-AA0A-B5AE0DC75AC9} (Performance Viewer ActiveX Control) -
[You must be registered and logged in to see this link.]
018 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B -433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
018 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FbDDe494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
018 - Protocol: qbwc - {Fc598A64-626C4447-85B8-5315-4-5FD57} - mscoree.dll (file missing)
018 - Protocol: skype4com - {FFC8B962-9B40-4Dff-9458-183)C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
020 - AppInit_DLLs: C:\PROGRA~1\Goole\GOOGLE~1\GOEC62~1.DLL
020 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
023 - Service: ANIWZCSd Service(ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
023 - Service: AVG8 Watchdog (avg8wd) - AVG Technologies CA, s.r.o - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
023 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
023 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
023 - Service: Google Update Service (gupdate1c9ac1514b39476) (gupdatee1c9ac1514b39476) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
023 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
023 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
023 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
023 - Service: LogMeIn Maintenance Service (LMIMain) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
023 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
023 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
023 - Service: Intuit QuickBooks FCS (QBFCService) - Intui Inc. - C:\Program Files\Common
Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
023 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
023 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SondMAX\SMAgent.exe
023 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
023 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 8820 bytes


Last edited by skhpa101 on Mon Jul 27, 2009 5:52 pm; edited 1 time in total (Reason for editing : add subject)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Mon Jul 27, 2009 9:09 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Mon Jul 27, 2009 9:22 pm

nevermind...


Last edited by skhpa101 on Mon Jul 27, 2009 10:24 pm; edited 1 time in total

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Mon Jul 27, 2009 9:35 pm

Skip that bit.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

?? skip what ??

Post by skhpa101 on Mon Jul 27, 2009 10:47 pm

the hard part is going to be TYPING ANOTHER LOG FILE into this post ! any tips on how i might at least get the floppy or usb drives back so I can copy logfiles ?

skip the recovery console download ? I just found a site and downloaded the .iso file and am burning it to a cd....

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Origin on Tue Jul 28, 2009 5:05 pm

Hello, have you tried the keyboard shortcuts:

Ctrl+A - to copy all text

Ctrl+C - to copy all the text

and

Ctrl+V - To paste the text

?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Tue Jul 28, 2009 7:35 pm

yes. that's not the problem. i can copy and paste no problem. but, none of the drives work ie usb, floppy etc.are not responding, so i can't copy the text to anything to post the log. and the browsers have been hijacked so can't get online that way. bottom line is that the pc is completely offline and data transfer is impossible - cd drive is working and i am loading programs from there, but it's not a cd burner so can't copy back from the pc

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

I have HackTool: App/ForceLib-A *AND* Virus: Mal/Behav-023

Post by skhpa101 on Wed Jul 29, 2009 9:19 am

ok. have the sick pc online so can post logfiles - and i found the names of what i have

HackTool: App/ForceLib-A
Virus: Mal/Behav-023

Updated Spysweeper and just ran and quarantined them. Do I need to run hijack this again and post log ?


Last edited by skhpa101 on Wed Jul 29, 2009 2:21 pm; edited 2 times in total (Reason for editing : new info about virus)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Wed Jul 29, 2009 3:50 pm

Ok - haven't heard from the forum - so will post the hijack this log and the combo fix logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:10 AM, on 7/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Wisdom-soft Toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWis1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Wisdom-soft Toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWis1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Wisdom-soft Toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWis1.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 7800 bytes

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Wed Jul 29, 2009 4:21 pm

ok, disabled avg and spysweeper and tried to run combo-fix - which I downloaded from the link in your response - it's popping up a caution window that says

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

ComboFix.exe may be downloaded from any of the above sites. If you have downloaded from some other site, there's a likely chance that it maybe tainted. For peace of mind, I suggest that you delete the current copy and get a fresh one.

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Wed Jul 29, 2009 4:22 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Wed Jul 29, 2009 4:26 pm

i went ahead and downloaded a fresh copy of comb fix (adding the hyphen) at download... and ran it.... it is installing windows recovery console now... should i stop this or let it run ?

recovery console is done installing... should i click "yes" to continue combo fix scan

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

bump

Post by skhpa101 on Wed Jul 29, 2009 4:48 pm

stopped the combo fix scan after it completed win rcovery console install

ran dds

DDS (Ver_09-06-26.01) - NTFSx86
Run by sperry at 12:46:36.15 on Wed 07/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.469 [GMT -4]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\sperry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ANIWZCS2Service] "c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: cafepress.com\www
Trusted Zone: pens.com\www
Trusted Zone: rivhsa.org\www
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - [You must be registered and logged in to see this link.]
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sperry\applic~1\mozilla\firefox\profiles\qwt7blsh.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\sperry\application

data\mozilla\firefox\profiles\qwt7blsh.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\sperry\application

data\mozilla\firefox\profiles\qwt7blsh.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-30 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-30 27784]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-30 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-1-10 47640]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-3-31 1205760]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2007-11-15 572416]
S4 gupdate1c9ac1514b39476;Google Update Service (gupdate1c9ac1514b39476);c:\program files\google\update\GoogleUpdate.exe [2009-3-23 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18

[?]

=============== Created Last 30 ================

2009-07-29 12:24 a-dshr-- C:\cmdcons
2009-07-29 12:23 219,648 a------- c:\windows\PEV.exe
2009-07-29 12:23 161,792 a------- c:\windows\SWREG.exe
2009-07-29 12:23 98,816 a------- c:\windows\sed.exe
2009-07-29 12:23 --ds---- C:\Combo-Fix
2009-07-29 12:00 388,608 a------- c:\windows\system32\CF21789.exe
2009-07-29 11:59 388,608 a------- c:\windows\system32\CF21743.exe
2009-07-29 11:59 388,608 a------- c:\windows\system32\CF20620.exe
2009-07-28 16:56 --d----- c:\program files\Ask.com
2009-07-27 19:54 3,251 a------- c:\windows\system32\wbem\Outlook_01ca0f1583f79090.mof
2009-07-25 12:13 --d----- c:\docume~1\sperry\applic~1\Malwarebytes
2009-07-25 12:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 12:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 12:12 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-25 12:12 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 12:00 --d----- c:\program files\Trend Micro
2009-07-25 09:49 --d----- c:\windows\pss
2009-07-21 08:23 1,409 a------- c:\windows\QTFont.for
2009-07-21 08:23 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-18 19:51 6 a------- c:\windows\WS_FTP.EXT
2009-07-18 19:51 0 a------- c:\windows\WS_FTP.CNV
2009-07-16 13:22 --d----- c:\program files\MSECache
2009-07-15 10:50 --d----- C:\WhitePapers
2009-07-15 09:40 3,284 a------- c:\windows\system32\ANIWZCS{747A1008-4F7C-4BA4-A98D-E2E982C1ED8D}
2009-07-15 09:33 7 a------- c:\windows\system32\ANIWZCSUSERNAME
2009-07-15 09:31 7 a------- c:\windows\system32\ANIWZCSUSERNAME{747A1008-4F7C-4BA4-A98D-E2E982C1ED8D}
2009-07-15 09:30 262,144 a------- c:\windows\system32\wnicapi.dll
2009-07-15 09:30 245,760 a------- c:\windows\system32\WlanApp.dll
2009-07-15 09:30 217,088 a------- c:\windows\system32\aIPH.dll
2009-07-15 09:30 1,327,189 a------- c:\windows\system32\odSupp_M.dll
2009-07-15 09:30 692,224 a------- c:\windows\system32\ANIWZCS2.dll
2009-07-15 09:30 49,152 a------- c:\windows\system32\JJAKEn.dll
2009-07-15 09:30 49,152 a------- c:\windows\system32\AQCKGen.dll
2009-07-15 09:30 45,115 a------- c:\windows\system32\ANICtl.dll
2009-07-15 09:29 48,128 a------- c:\windows\system32\ANIO64.sys
2009-07-15 09:29 36,864 a------- c:\windows\system32\ANIOApi.dll
2009-07-15 09:29 28,195 a------- c:\windows\system32\ANIO.sys
2009-07-15 09:29 16,997 a------- c:\windows\system32\ANIO.VXD
2009-07-15 09:29 11,904 a------- c:\windows\system32\anio4.sys
2009-07-15 09:29 --d----- c:\program files\ANI
2009-07-15 09:29 --d----- c:\program files\Airlink101

==================== Find3M ====================

2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:09 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-13 15:39 1,563,008 a------- c:\windows\WRSetup.dll
2009-05-10 08:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-01 14:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-02-21 20:56 60,744 a------- c:\documents and settings\sperry\g2mdlhlpx.exe

============= FINISH: 12:46:55.62 ===============


Last edited by skhpa101 on Wed Jul 29, 2009 5:42 pm; edited 1 time in total

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

feeling vulnerable and forgotten.... snif snif

Post by skhpa101 on Wed Jul 29, 2009 5:27 pm

have spysweeper and avg turned off... wondering if i can turn them back on ?
have been sitting here since 6 am (its now 2 pm) hoping for some attention... really need some help ....

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Wed Jul 29, 2009 6:11 pm

Hello.
See if Combofix will run anyhow. I don't see any traces of a file infecter on the system.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

combo fix log - part 1

Post by skhpa101 on Wed Jul 29, 2009 6:43 pm

Combo Fix ran but gave an exception processing message C00000013 - Parameters 75b6bf9c4 75b6bf9c4 75b6bf9c4 - then it had the option of try again, cancel or continue, so i hit continue -

here's the combo fix log

ComboFix 09-07-29.01 - sperry 07/29/2009 14:15.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.327 [GMT -4:00]
Running from: c:\downloads\FromCDBurn\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-28 21:01 . 2009-07-29 17:49 -------- d-----w- c:\documents and settings\sperry\Local Settings\Application Data\AskToolbar
2009-07-28 20:56 . 2009-07-28 20:56 -------- d-----w- c:\program files\Ask.com
2009-07-25 16:13 . 2009-07-25 16:13 -------- d-----w- c:\documents and settings\sperry\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 16:12 . 2009-07-25 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 16:12 . 2009-07-25 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 16:00 . 2009-07-25 16:00 -------- d-----w- c:\program files\Trend Micro
2009-07-18 07:59 . 2009-07-18 07:59 -------- d-----w- c:\documents and settings\sperry\Local Settings\Application Data\Temp
2009-07-16 17:22 . 2009-07-16 17:22 -------- d-----w- c:\program files\MSECache
2009-07-15 14:50 . 2009-07-15 14:50 -------- d-----w- C:\WhitePapers
2009-07-15 13:30 . 2007-12-11 19:36 245760 ----a-w- c:\windows\system32\WlanApp.dll
2009-07-15 13:30 . 2007-11-21 22:36 217088 ----a-w- c:\windows\system32\aIPH.dll
2009-07-15 13:30 . 2007-10-08 23:13 262144 ----a-w- c:\windows\system32\wnicapi.dll
2009-07-15 13:30 . 2008-01-02 14:24 692224 ----a-w- c:\windows\system32\ANIWZCS2.dll
2009-07-15 13:30 . 2006-09-26 17:49 45115 ----a-w- c:\windows\system32\ANICtl.dll
2009-07-15 13:30 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2009-07-15 13:30 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2009-07-15 13:30 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2009-07-15 13:29 . 2009-07-15 13:30 -------- d-----w- c:\program files\ANI
2009-07-15 13:29 . 2007-11-21 22:46 36864 ----a-w- c:\windows\system32\ANIOApi.dll
2009-07-15 13:29 . 2007-05-12 20:39 48128 ----a-w- c:\windows\system32\ANIO64.sys
2009-07-15 13:29 . 2007-05-12 20:39 28195 ----a-w- c:\windows\system32\ANIO.sys
2009-07-15 13:29 . 2007-05-12 20:39 11904 ----a-w- c:\windows\system32\anio4.sys
2009-07-15 13:29 . 2009-07-15 13:29 -------- d-----w- c:\program files\Airlink101

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 16:11 . 2008-01-11 00:21 -------- d-----w- c:\program files\LogMeIn
2009-07-29 15:28 . 2009-03-16 19:58 0 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\prvlcl.dat
2009-07-29 02:39 . 2009-03-24 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-26 02:18 . 2008-06-30 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-07-24 21:32 . 2009-04-30 13:19 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-07-20 15:18 . 2008-05-09 01:51 -------- d-----w- c:\documents and settings\sperry\Application Data\Skype
2009-07-20 12:56 . 2008-05-09 01:52 -------- d-----w- c:\documents and settings\sperry\Application Data\skypePM
2009-07-19 17:54 . 2008-01-10 22:29 56632 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 13:30 . 2008-01-11 00:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-24 17:51 . 2008-02-05 18:27 -------- d-----w- c:\program files\Google
2009-06-17 12:58 . 2008-06-30 04:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 00:18 . 2009-06-15 00:18 390664 ----a-w- c:\documents and settings\sperry\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-12 12:09 . 2008-06-30 04:30 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 12:43 . 2008-01-22 16:15 -------- d-----w- c:\program files\Wisdom-soft
2009-06-03 19:27 . 2006-02-28 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 19:39 . 2008-01-23 22:29 1563008 ----a-w- c:\windows\WRSetup.dll
2009-05-10 12:56 . 2008-06-30 04:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-10 11:55 . 2008-09-06 02:43 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-02-05 18:28 . 2008-02-05 18:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2009-07-19 12:50 2215960 ----a-w- c:\program files\Wisdom-soft\tbWis1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 19:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 12:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 13:09 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB18"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ac1514b39476"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Wed Jul 29, 2009 6:43 pm

combo fix log part 2


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2008 12:30 AM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/30/2008 12:30 AM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/10/2008 8:22 PM 47640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/31/2009 6:07 PM 1205760]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [11/15/2007 9:18 PM 572416]
S4 gupdate1c9ac1514b39476;Google Update Service (gupdate1c9ac1514b39476);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2009 8:11 PM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 00:09]

2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]

2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]

2009-07-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 19:06]

2009-07-29 c:\windows\Tasks\wrSpySweeper_LFB6A6F7EA8BE4D23B7D7563A71CA2D0F.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-23 19:40]

2009-07-29 c:\windows\Tasks\wrSpySweeper_LFB6A6F7EA8BE4D23B7D7563A71CA2D0F.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-23 19:40]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cafepress.com\www
Trusted Zone: pens.com\www
Trusted Zone: rivhsa.org\www
FF - ProfilePath - c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-29 14:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-07-29 14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 18:34

Pre-Run: 39,768,895,488 bytes free
Post-Run: 40,595,517,440 bytes free

240 --- E O F --- 2009-07-29 16:10

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Origin on Wed Jul 29, 2009 6:56 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\sperry\Local Settings\Application Data\AskToolbar
c:\program files\Ask.com

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
"c:\program files\Ask.com\GenericAskToolbar.dll"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

DDs:
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

bump

Post by skhpa101 on Wed Jul 29, 2009 11:17 pm

Sorry - bumped again cuz I think I'm so many pages down you can't see me.... here's the latest


ComboFix 09-07-29.03 - sperry 07/29/2009 19:03.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.568 [GMT -4]
Running from: c:\downloads\FromCDBurn\Combo-Fix.exe
Command switches used :: c:\documents and settings\sperry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sperry\Local Settings\Application Data\AskToolbar
c:\documents and settings\sperry\Local Settings\Application Data\AskToolbar\cache.dat
c:\documents and settings\sperry\Local Settings\Application Data\AskToolbar\config.xml
c:\program files\Ask.com
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\UpdateTask.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-25 16:13 . 2009-07-25 16:13 -------- d-----w- c:\documents and settings\sperry\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 16:12 . 2009-07-25 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 16:12 . 2009-07-25 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 16:00 . 2009-07-25 16:00 -------- d-----w- c:\program files\Trend Micro
2009-07-18 07:59 . 2009-07-18 07:59 -------- d-----w- c:\documents and settings\sperry\Local Settings\Application Data\Temp
2009-07-16 17:22 . 2009-07-16 17:22 -------- d-----w- c:\program files\MSECache
2009-07-15 14:50 . 2009-07-15 14:50 -------- d-----w- C:\WhitePapers
2009-07-15 13:30 . 2007-12-11 19:36 245760 ----a-w- c:\windows\system32\WlanApp.dll
2009-07-15 13:30 . 2007-11-21 22:36 217088 ----a-w- c:\windows\system32\aIPH.dll
2009-07-15 13:30 . 2007-10-08 23:13 262144 ----a-w- c:\windows\system32\wnicapi.dll
2009-07-15 13:30 . 2008-01-02 14:24 692224 ----a-w- c:\windows\system32\ANIWZCS2.dll
2009-07-15 13:30 . 2006-09-26 17:49 45115 ----a-w- c:\windows\system32\ANICtl.dll
2009-07-15 13:30 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2009-07-15 13:30 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2009-07-15 13:30 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2009-07-15 13:29 . 2009-07-15 13:30 -------- d-----w- c:\program files\ANI
2009-07-15 13:29 . 2007-11-21 22:46 36864 ----a-w- c:\windows\system32\ANIOApi.dll
2009-07-15 13:29 . 2007-05-12 20:39 48128 ----a-w- c:\windows\system32\ANIO64.sys
2009-07-15 13:29 . 2007-05-12 20:39 28195 ----a-w- c:\windows\system32\ANIO.sys
2009-07-15 13:29 . 2007-05-12 20:39 11904 ----a-w- c:\windows\system32\anio4.sys
2009-07-15 13:29 . 2009-07-15 13:29 -------- d-----w- c:\program files\Airlink101

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 16:11 . 2008-01-11 00:21 -------- d-----w- c:\program files\LogMeIn
2009-07-29 15:28 . 2009-03-16 19:58 0 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\prvlcl.dat
2009-07-29 02:39 . 2009-03-24 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-26 02:18 . 2008-06-30 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-07-24 21:32 . 2009-04-30 13:19 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-07-20 15:18 . 2008-05-09 01:51 -------- d-----w- c:\documents and settings\sperry\Application Data\Skype
2009-07-20 12:56 . 2008-05-09 01:52 -------- d-----w- c:\documents and settings\sperry\Application Data\skypePM
2009-07-19 17:54 . 2008-01-10 22:29 56632 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 13:30 . 2008-01-11 00:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-24 17:51 . 2008-02-05 18:27 -------- d-----w- c:\program files\Google
2009-06-17 12:58 . 2008-06-30 04:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 00:18 . 2009-06-15 00:18 390664 ----a-w- c:\documents and settings\sperry\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-12 12:09 . 2008-06-30 04:30 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 12:43 . 2008-01-22 16:15 -------- d-----w- c:\program files\Wisdom-soft
2009-06-03 19:27 . 2006-02-28 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 19:39 . 2008-01-23 22:29 1563008 ----a-w- c:\windows\WRSetup.dll
2009-05-10 12:56 . 2008-06-30 04:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-10 11:55 . 2008-09-06 02:43 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-02-05 18:28 . 2008-02-05 18:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2009-07-19 12:50 2215960 ----a-w- c:\program files\Wisdom-soft\tbWis1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 12:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 13:09 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB18"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ac1514b39476"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2008 12:30 AM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/30/2008 12:30 AM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/10/2008 8:22 PM 47640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/31/2009 6:07 PM 1205760]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [11/15/2007 9:18 PM 572416]
S4 gupdate1c9ac1514b39476;Google Update Service (gupdate1c9ac1514b39476);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2009 8:11 PM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 00:09]

2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]

2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cafepress.com\www
Trusted Zone: pens.com\www
Trusted Zone: rivhsa.org\www
FF - ProfilePath - c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-29 19:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\sperry\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\LMIinit.dll
.
Completion time: 2009-07-29 19:10
ComboFix-quarantined-files.txt 2009-07-29 23:10
ComboFix2.txt 2009-07-29 18:34

Pre-Run: 40,604,241,920 bytes free
Post-Run: 40,641,503,232 bytes free

216 --- E O F --- 2009-07-29 16:10


Last edited by skhpa101 on Thu Jul 30, 2009 12:04 am; edited 1 time in total (Reason for editing : bump new combo fix log)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Thu Jul 30, 2009 7:00 pm

Hello.
Two more things need removing.

Now open a new notepad file.
Input this into the notepad file:

Registry:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Firefox::
FF - ProfilePath - c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Thu Jul 30, 2009 9:17 pm

ComboFix 09-07-29.04 - sperry 07/30/2009 17:09.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.550 [GMT -4:00]
Running from: c:\downloads\FromCDBurn\Combo-Fix.exe
Command switches used :: c:\documents and settings\sperry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-25 16:13 . 2009-07-25 16:13 -------- d-----w- c:\documents and settings\sperry\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 16:12 . 2009-07-25 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 16:12 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 16:12 . 2009-07-25 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 16:00 . 2009-07-25 16:00 -------- d-----w- c:\program files\Trend Micro
2009-07-18 07:59 . 2009-07-18 07:59 -------- d-----w- c:\documents and settings\sperry\Local Settings\Application Data\Temp
2009-07-16 17:22 . 2009-07-16 17:22 -------- d-----w- c:\program files\MSECache
2009-07-15 14:50 . 2009-07-15 14:50 -------- d-----w- C:\WhitePapers
2009-07-15 13:30 . 2007-12-11 19:36 245760 ----a-w- c:\windows\system32\WlanApp.dll
2009-07-15 13:30 . 2007-11-21 22:36 217088 ----a-w- c:\windows\system32\aIPH.dll
2009-07-15 13:30 . 2007-10-08 23:13 262144 ----a-w- c:\windows\system32\wnicapi.dll
2009-07-15 13:30 . 2008-01-02 14:24 692224 ----a-w- c:\windows\system32\ANIWZCS2.dll
2009-07-15 13:30 . 2006-09-26 17:49 45115 ----a-w- c:\windows\system32\ANICtl.dll
2009-07-15 13:30 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2009-07-15 13:30 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2009-07-15 13:30 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2009-07-15 13:29 . 2009-07-15 13:30 -------- d-----w- c:\program files\ANI
2009-07-15 13:29 . 2007-11-21 22:46 36864 ----a-w- c:\windows\system32\ANIOApi.dll
2009-07-15 13:29 . 2007-05-12 20:39 48128 ----a-w- c:\windows\system32\ANIO64.sys
2009-07-15 13:29 . 2007-05-12 20:39 28195 ----a-w- c:\windows\system32\ANIO.sys
2009-07-15 13:29 . 2007-05-12 20:39 11904 ----a-w- c:\windows\system32\anio4.sys
2009-07-15 13:29 . 2009-07-15 13:29 -------- d-----w- c:\program files\Airlink101

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 15:28 . 2009-03-16 19:58 0 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\prvlcl.dat
2009-07-30 06:39 . 2008-01-11 00:21 -------- d-----w- c:\program files\LogMeIn
2009-07-30 03:40 . 2009-03-24 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-26 02:18 . 2008-06-30 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-07-24 21:32 . 2009-04-30 13:19 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-07-20 15:18 . 2008-05-09 01:51 -------- d-----w- c:\documents and settings\sperry\Application Data\Skype
2009-07-20 12:56 . 2008-05-09 01:52 -------- d-----w- c:\documents and settings\sperry\Application Data\skypePM
2009-07-19 17:54 . 2008-01-10 22:29 56632 ----a-w- c:\documents and settings\sperry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 13:30 . 2008-01-11 00:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-24 17:51 . 2008-02-05 18:27 -------- d-----w- c:\program files\Google
2009-06-17 12:58 . 2008-06-30 04:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 00:18 . 2009-06-15 00:18 390664 ----a-w- c:\documents and settings\sperry\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-12 12:09 . 2008-06-30 04:30 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 12:43 . 2008-01-22 16:15 -------- d-----w- c:\program files\Wisdom-soft
2009-06-03 19:27 . 2006-02-28 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 19:39 . 2008-01-23 22:29 1563008 ----a-w- c:\windows\WRSetup.dll
2009-05-10 12:56 . 2008-06-30 04:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-03-10 11:55 . 2008-09-06 02:43 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-02-05 18:28 . 2008-02-05 18:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2009-07-19 12:50 2215960 ----a-w- c:\program files\Wisdom-soft\tbWis1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWis1.dll" [2009-07-19 2215960]

[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 12:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 13:09 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"QuickBooksDB18"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ac1514b39476"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2008 12:30 AM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/30/2008 12:30 AM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/10/2008 8:22 PM 47640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/31/2009 6:07 PM 1205760]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [11/15/2007 9:18 PM 572416]
S4 gupdate1c9ac1514b39476;Google Update Service (gupdate1c9ac1514b39476);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2009 8:11 PM 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-23 00:09]

2009-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]

2009-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cafepress.com\www
Trusted Zone: pens.com\www
Trusted Zone: rivhsa.org\www
FF - ProfilePath - c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\sperry\Application Data\Mozilla\Firefox\Profiles\qwt7blsh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-30 17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-30 17:15
ComboFix-quarantined-files.txt 2009-07-30 21:15
ComboFix2.txt 2009-07-29 23:10
ComboFix3.txt 2009-07-29 18:34

Pre-Run: 40,652,718,080 bytes free
Post-Run: 40,619,130,880 bytes free

206 --- E O F --- 2009-07-29 16:10

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Origin on Fri Jul 31, 2009 1:37 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by skhpa101 on Fri Jul 31, 2009 6:46 am

Malwarebytes' Anti-Malware 1.39
Database version: 2534
Windows 5.1.2600 Service Pack 2

7/31/2009 2:45:51 AM
mbam-log-2009-07-31 (02-45-51).txt

Scan type: Quick Scan
Objects scanned: 100804
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Belahzur on Fri Jul 31, 2009 8:28 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Everything looks good

Post by skhpa101 on Sat Aug 01, 2009 2:40 am

Uninstalled combo fix and things look good. Thank you so much for your help.

skhpa101
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-25
OS OS : xp
Points Points : 26939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: bump I read "read this" and have IESiteBlocker.NavFilte

Post by Origin on Sat Aug 01, 2009 2:52 am

Glad we could help Wink

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum