google page pop up

January 23rd, 2020

hi
i am using firefox and nowadays suddenly a google pop up comes up very frequently and even firefox pop up blocker dont stop it…
what do i do
pls help
Answer #1
Maybe it’s your Internet Security software, check all your stuff there and configure your firewall correctly. If you don’t have any Internet security/Antivirus, I would reccomend installing one.
Answer #2
i scanned with spy sweeper and still i get the pop up…
moreover now i am getting a tab open which connects to 82.98.235.113 …
pls help its very irritating … sometimes it directs to some site which ask for free spyware removal and then displays bad images…
i dont know where i got infected with this thing… i never surf anything wrong .. pls help
Answer #3
Probably just some smitfraud variant.
Please download the current version of HijackThis from here.
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Answer #4
Probably just some smitfraud variant.
Please download the current version of HijackThis from here.
Code:
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
* Double click and run the installer.
* It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
* After installing, you should get the user agreement, press accept and Hijack This will run.
* Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

here it is :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:21 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\DU Meter\DUMeterSvc.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\~ Disallowed ~.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 – HKLM\..\Run: [Acrobat Assistant 8.0] “D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 – HKLM\..\Run: [NeroFilterCheck] “C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe”
O4 – HKLM\..\Run: [~ Disallowed ~] “C:\WINDOWS\system32\~ Disallowed ~.exe”
O4 – HKLM\..\Run: [HotKeysCmds] “C:\WINDOWS\system32\hkcmd.exe”
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 – HKLM\..\Run: [d4a5e57d] “C:\WINDOWS\system32\rundll32.exe” “C:\WINDOWS\system32\oejvtkex.dll”,b
O4 – HKLM\..\Run: [SpySweeper] “C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe” /startintray
O4 – HKCU\..\Run: [ctfmon.exe] “C:\WINDOWS\system32\ctfmon.exe”
O4 – HKCU\..\Run: [DU Meter] “D:\Program Files\DU Meter\DUMeter.exe”
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: Append to existing PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert link target to Adobe PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert link target to existing PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert selected links to Adobe PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 – Extra context menu item: Convert selected links to existing PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 – Extra context menu item: Convert selection to Adobe PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert selection to existing PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert to Adobe PDF – res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 – Extra context menu item: Lookup on Merriam Webster – file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 – Extra context menu item: Lookup on Wikipedia – file://C:\Program Files\ieSpell\wikipedia.HTM
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 – Extra button: Send to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra ‘Tools’ menuitem: S&end to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) – https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202301437109
O16 – DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) – http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214559199531
O16 – DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) – http://gameadvisor.futuremark.com/global/msc3121.cab
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{584F38C7-7216-44B8-9C82-FE011AF9DB90}: NameServer = 202.56.215.54,202.56.215.55
O18 – Protocol: grooveLocalGWS – {88FED34C-F0CA-4636-A375-3CB6248B04CD} – C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 – AppInit_DLLs: qfcwic.dll
O23 – Service: DU Meter Service (DUMeterSvc) – Hagel Technologies Ltd – d:\Program Files\DU Meter\DUMeterSvc.exe
O23 – Service: FLEXnet Licensing Service – Macrovision Europe Ltd. – C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 – Service: Google Updater Service (gusvc) – Unknown owner – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 – Service: Nero BackItUp Scheduler 3 – Nero AG – D:\Nero\Nero8\Nero BackItUp\NBService.exe
O23 – Service: NMIndexingService – Nero AG – C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 – Service: Norton AntiVirus – Symantec Corporation – C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 – Service: PLFlash DeviceIoControl Service – Prolific Technology Inc. – C:\WINDOWS\system32\IoctlSvc.exe
O23 – Service: LiveShare P2P Server 10 (RoxLiveShare10) – Unknown owner – C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 – Service: ServiceLayer – Nokia. – C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 – Service: SessionLauncher – Unknown owner – C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 – Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) – SupportSoft, Inc. – C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 – Service: SupportSoft RemoteAssist – SupportSoft, Inc. – C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 – Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) – Webroot Software, Inc. (www.webroot.com) – C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 – Service: Webroot Client Service (WRConsumerService) – Webroot Software, Inc. – C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

End of file – 8573 bytes
Answer #5
Virtumonde again. This will fix it.
1. Download combofix from here
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts to install the recovery console.
3. It may want to reboot after removing the files.
4. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix’s window whilst it’s running. That may cause it to stall.
Answer #6
one thing i would also mention …
spysweeper also detected Virtumonde and i deleted it … it said u may need to restart .. but i havent .. iam doing a norton scan also …
i would restart and see if problem persist i would with what u said…
also … u detected the spyware very quickly… very clever and thanks for ur help.. i’ll reply again in some minutes
Answer #7
I doubt Spysweeper or Norton can kill it. Both will probably detect one or two .dll files. Virtumonde makes copies of itself, kill one and it regenerates, unless we kill it all at once, it will return.
Answer #8
when i restarted my PC a screen came and said spy sweeper deleting some dll file
but still i get google page popup and spy sweeper warning :
spy sweeper blocked acess to potentially threatening website and acces to 24.244.171.110
what do i do … evn after detecting and deleting by spy sweeper .. same problem
Answer #9
ok i am trying ur method now .. i hope it works
Answer #10
here is the log file by combo fix:
ComboFix 08-10-26.01 – Administrator 2008-10-27 20:54:37.1 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.685 [GMT 5.5:30]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Documents\My Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0028B802\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\57AC27\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Videos\Desktop_.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\Downloaded Program Files\ODCTOOLS\~t20.tmp
C:\WINDOWS\system32\oejvtkex.dll
C:\WINDOWS\system32\pMdaWnOG.dll
C:\WINDOWS\system32\qfcwic.dll
C:\WINDOWS\system32\vihcjmmy.dll
C:\WINDOWS\system32\xektvjeo.ini
C:\WINDOWS\system32\yATKEwxy.dll
C:\WINDOWS\system32\yxwEKTAy.ini
C:\WINDOWS\system32\yxwEKTAy.ini2
.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.
2008-10-27 18:46 . 2008-10-27 18:46<DIR>d——–C:\Program Files\Webroot
2008-10-27 18:46 . 2008-10-27 18:52<DIR>d——–C:\Documents and Settings\All Users\Application Data\Webroot
2008-10-27 18:46 . 2008-10-27 18:46<DIR>d——–C:\Documents and Settings\Administrator\Application Data\Webroot
2008-10-27 18:46 . 2008-10-12 13:181,553,272–a——C:\WINDOWS\WRSetup.dll
2008-10-27 18:46 . 2008-10-27 18:46164–a——C:\install.dat
2008-10-25 18:38 . 2008-10-25 19:09<DIR>d——–C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-24 19:20 . 2008-10-24 19:20<DIR>d——–C:\Program Files\Symantec
2008-10-24 19:20 . 2008-10-24 19:20124,464–a——C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-24 19:20 . 2008-10-24 19:2060,808–a——C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-24 19:20 . 2008-10-24 19:2035,888-ra——C:\WINDOWS\system32\drivers\SymIM.sys
2008-10-24 19:20 . 2008-10-24 19:2010,635–a——C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-24 19:20 . 2008-10-24 19:20806–a——C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\WINDOWS\system32\drivers\NAV
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\Windows Sidebar
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\NortonInstaller
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\Norton AntiVirus
2008-10-21 19:03 . 2008-10-21 19:03<DIR>d——–C:\Documents and Settings\All Users\Application Data\PCSettings
2008-10-21 18:42 . 2008-10-24 18:57<DIR>d——–C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-21 09:46 . 2008-10-21 09:46<DIR>d——–C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-02 04:15 . 2008-10-02 04:15170,608–a——C:\WINDOWS\system32\drivers\ssidrv.sys
2008-10-02 04:15 . 2008-10-02 04:1529,808–a——C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-10-02 04:15 . 2008-10-02 04:1523,152–a——C:\WINDOWS\system32\drivers\sshrmd.sys
2008-09-29 19:52 . 2008-09-29 19:52<DIR>d——–C:\Documents and Settings\Administrator\Application Data\Sereniti
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 14:52———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 07:18———d—–wC:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-26 05:25———d—–wC:\Program Files\Common Files\Symantec Shared
2008-10-24 13:49———d—–wC:\Documents and Settings\All Users\Application Data\Norton
2008-10-21 13:40———d—–wC:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-27 10:13———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-21 06:29———d—–wC:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-09-19 06:48———d—–wC:\Documents and Settings\All Users\Application Data\Avira
2008-09-16 07:42———d—–wC:\Documents and Settings\All Users\Application Data\NortonInstaller
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@=”{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}”
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 13:11238968–a——C:\Program Files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-03-07 15360]
“DU Meter”=”D:\Program Files\DU Meter\DUMeter.exe” [2008-02-06 2582288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Acrobat Assistant 8.0″=”D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [2008-01-11 623992]
“NeroFilterCheck”=”C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2008-02-28 570664]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2005-06-21 155648]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 126976]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk – C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-29 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=qfcwic.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=”Service”
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
–a—— 2008-02-18 16:29 2221352 D:\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nxpclient]
–a—— 2007-11-26 16:22 202016 C:\Program Files\Airtel\NetXpert\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
–a—— 2006-06-15 12:36 229376 D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
–a—— 2007-10-24 02:48 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-24 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-24 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-24 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081023.001\IDSxpx86.sys [2008-10-24 274808]
R2 DUMeterSvc;DU Meter Service;d:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 1382672]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R2 sprtsvc_nxpclient;SupportSoft Sprocket Service (nxpclient);C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe [2007-11-26 202800]
R2 WRConsumerService;Webroot Client Service;C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [ ]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caffe8ad-935e-11dc-a5c7-000f3d906368}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
.
– – – – ORPHANS REMOVED – – – –
BHO-{eea6544d-3764-45e4-80e4-a2cb0a6c1880} – C:\WINDOWS\system32\qfcwic.dll
BHO-{F1CF3472-1269-4304-B42F-390AF9ABAB52} – C:\WINDOWS\system32\yATKEwxy.dll
HKLM-Run-d4a5e57d – C:\WINDOWS\system32\oejvtkex.dll
ShellExecuteHooks-{99C158B9-FA74-4E49-971E-708F37B235D7} – (no file)
.
——- Supplementary Scan ——-
.
FireFox -: Profile – C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rorjpvt2.default\
FireFox -: prefs.js – STARTUP.HOMEPAGE – about:blank
FF -: plugin – C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 21:16:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
“ImagePath”=”d:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
“ImagePath”=”\”C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\” /s \”Norton AntiVirus\” /m \”C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\” /prefetch:1″
.
———————— Other Running Processes ————————
.
D:\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-10-27 21:29:11 – machine was rebooted
ComboFix-quarantined-files.txt 2008-10-27 15:58:55
Pre-Run: 8,730,546,176 bytes free
Post-Run: 10,644,787,200 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT=”Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn
186
Answer #11
is everything ok now … is the virus treated perfectly
Answer #12
Not yet, one leftover in the registry.
Now open a new notepad file.
Input this into the notepad file:

Driver::
SessionLauncher
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Image
This will open combofix.exe again, agree to it’s terms and allow it to run, it may want to reboot after it’s done. Post the resulting log back here.
====
Also your Java is out of date.
Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 update 10 from here:
    http://java.sun.com/javase/downloads/index.jsp

  • Select the first option where it says “Java Runtime Environment (JRE) 6 update 10“.
  • Click the “Download” button to the right.
  • In the Window that opens, select your platform and language, check the “agree” box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running – especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    – Examples of older versions in Add or Remove Programs:
    – Java 2 Runtime Environment, SE v1.4.2
    – J2SE Runtime Environment 5.0
    – J2SE Runtime Environment 5.0 Update 2

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.

Answer #13
here is the new log file:
ComboFix 08-10-27.03 – Administrator 2008-10-28 10:29:34.2 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.660 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Legacy_SESSIONLAUNCHER
——-\Service_SessionLauncher
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.
2008-10-27 18:46 . 2008-10-27 18:46164–a——C:\install.dat
2008-10-25 18:38 . 2008-10-25 19:09<DIR>d——–C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-24 19:20 . 2008-10-24 19:20<DIR>d——–C:\Program Files\Symantec
2008-10-24 19:20 . 2008-10-24 19:20124,464–a——C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-24 19:20 . 2008-10-24 19:2060,808–a——C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-24 19:20 . 2008-10-24 19:2035,888-ra——C:\WINDOWS\system32\drivers\SymIM.sys
2008-10-24 19:20 . 2008-10-24 19:2010,635–a——C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-24 19:20 . 2008-10-24 19:20806–a——C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\WINDOWS\system32\drivers\NAV
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\Windows Sidebar
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\NortonInstaller
2008-10-24 19:19 . 2008-10-24 19:19<DIR>d——–C:\Program Files\Norton AntiVirus
2008-10-21 19:03 . 2008-10-21 19:03<DIR>d——–C:\Documents and Settings\All Users\Application Data\PCSettings
2008-10-21 18:42 . 2008-10-24 18:57<DIR>d——–C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-21 09:46 . 2008-10-21 09:46<DIR>d——–C:\Documents and Settings\All Users\Symantec Temporary Files
2008-09-29 19:52 . 2008-09-29 19:52<DIR>d——–C:\Documents and Settings\Administrator\Application Data\Sereniti
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 16:04———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 07:18———d—–wC:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-26 05:25———d—–wC:\Program Files\Common Files\Symantec Shared
2008-10-24 13:49———d—–wC:\Documents and Settings\All Users\Application Data\Norton
2008-10-21 13:40———d—–wC:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-27 10:13———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-21 06:29———d—–wC:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-09-19 06:48———d—–wC:\Documents and Settings\All Users\Application Data\Avira
2008-09-16 07:42———d—–wC:\Documents and Settings\All Users\Application Data\NortonInstaller
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-03-07 15360]
“DU Meter”=”d:\Program Files\DU Meter\DUMeter.exe” [2008-02-06 2582288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Acrobat Assistant 8.0″=”D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [2008-01-11 623992]
“NeroFilterCheck”=”C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2008-02-28 570664]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2005-06-21 155648]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 126976]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
–a—— 2008-02-18 16:29 2221352 D:\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nxpclient]
–a—— 2007-11-26 16:22 202016 C:\Program Files\Airtel\NetXpert\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
–a—— 2006-06-15 12:36 229376 D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
–a—— 2007-10-24 02:48 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE”=
“C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-24 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-24 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-24 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081023.001\IDSxpx86.sys [2008-10-24 274808]
R2 DUMeterSvc;DU Meter Service;d:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 1382672]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R2 sprtsvc_nxpclient;SupportSoft Sprocket Service (nxpclient);C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe [2007-11-26 202800]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caffe8ad-935e-11dc-a5c7-000f3d906368}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 10:36:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … **************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
“ImagePath”=”d:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
“ImagePath”=”\”C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\” /s \”Norton AntiVirus\” /m \”C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\” /prefetch:1″
.
———————— Other Running Processes ————————
.
D:\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-10-28 10:50:09 – machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 05:19:00
ComboFix2.txt 2008-10-27 15:59:14
Pre-Run: 10,572,718,080 bytes free
Post-Run: 10,604,138,496 bytes free
127
Answer #14
is everything fine now .. or something is still to be deleted
Answer #15
spyware/malware..try Spybot Search and Destroy
Answer #16
THANK YOU for ur help…. my problem is solved

Related Posts:

Posted in Uncategorized

 

| Sitemap |