Hello all, can someone please help me, a year and a couple hundred Euro later still have my problem. Internet explorer keeps opening by itself - up to a hundred pages, all to the home page. I have had people look at re-formatted the harddrive several times and nothing. Have tries God knows how many spyware/malware remover, anyi virus etc. Cannot get into other programs once it gets going as IE keeps popping up in front of everything I try to do. Thinking about getting a new Hard Drive for it beacuse at my wots end with it. Thanks, Karg
karg
0
Newbie Poster
Recommended Answers
Jump to PostBefore running ComboFix you should have turned of System Restore
NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.
Frankly, running combofix at this stage (and improperly at that) is not called for.
However, in this …
Jump to PostWhat you saw in the combofix files - can you tell if that is the remnants of the virus i mentioned or is it a different one?
I'd like to know that as well - I didn't see anything.
@top10ufo:
I am not sure what you have the poster …
Jump to Post@top10ufo:
I don't mean to demean your knowledge in any way shape or form - If I did, I apologize.This is just not good advice, simply saying:
Try using ComboFix if you haven't already.
When you posted that, I kinda figured you were just here to spam your …
Jump to PostYou could try the hardware Forum here at Daniweb:
http://www.daniweb.com/forums/forum7.html
A lot of smart people - they might have some better ideas than what I can come up with.
Be sure to tell them that we ruled out malware.Cheers :)
PP
Jump to PostThanks a million - so much appreciated
Happy to try to help!
I'll keep my fingers crossed.
PP :)
All 53 Replies
top10ufo
0
Newbie Poster
Try using ComboFix if you haven't already.
karg
0
Newbie Poster
Hi there, here are the Hijackthis and Combifix files
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36:57, on 29/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 2934 bytes
COMBIFIX
ComboFix 09-08-29.01 - KristinG 29/08/2009 21:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.446.184 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.
2009-08-29 20:36 . 2009-08-29 20:36 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 20:45 . 2009-07-23 20:45 12328 ----a-w- c:\documents and settings\KristinG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-18 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-10-04 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-07-05 544768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/18/2008 11:23 AM 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/18/2008 11:23 AM 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/18/2008 11:23 AM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/18/2008 11:23 AM 76040]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 22:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-08-29 22:04
ComboFix-quarantined-files.txt 2009-08-29 21:04
Pre-Run: 34,991,042,560 bytes free
Post-Run: 34,989,473,792 bytes free
76
Appreciate any assistance - its very hard to even get it to run these as internet explorer keeps opening in the background
top10ufo
0
Newbie Poster
Before running ComboFix you should have turned of System Restore and disabled AVG Antivirus...
Hi there, here are the Hijackthis and Combifix files
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36:57, on 29/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--
End of file - 2934 bytes
COMBIFIXComboFix 09-08-29.01 - KristinG 29/08/2009 21:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.446.184 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.2009-08-29 20:36 . 2009-08-29 20:36 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 20:45 . 2009-07-23 20:45 12328 ----a-w- c:\documents and settings\KristinG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-18 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-10-04 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-07-05 544768][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/18/2008 11:23 AM 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/18/2008 11:23 AM 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/18/2008 11:23 AM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/18/2008 11:23 AM 76040]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 22:02
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\avgrsstx.dll- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-08-29 22:04
ComboFix-quarantined-files.txt 2009-08-29 21:04Pre-Run: 34,991,042,560 bytes free
Post-Run: 34,989,473,792 bytes free76
Appreciate any assistance - its very hard to even get it to run these as internet explorer keeps opening in the background
PhilliePhan
171
Central Scrutinizer
Team Colleague
Before running ComboFix you should have turned of System Restore
NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.
Frankly, running combofix at this stage (and improperly at that) is not called for.
However, in this case I doubt it matters.
It doesn't look like malware to me - Perhaps even a keyboard issue causing IE to open? After all, it is not opening to ads, but to home page.
Have you tried different Keyboard?
Also, try installing Firefox and seeing if the problem continues.
Cheers :)
PP
EDIT: Try banging on Ctrl + N ( the IE shortcut to open new window) to make sure they are not sticking......
karg
commented:
Solved - Excellent Advisor - much appreciated
+1
top10ufo
0
Newbie Poster
With over 14 years of experience in desktop support, I believe I DO know what I am doing. Unless you feel you have more experience than I do, please keep your advise to yourself.
The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!) and just installing Firefox is not a problem solver if Windows security updates are not applied and up to date.
NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.
Frankly, running combofix at this stage (and improperly at that) is not called for.
However, in this case I doubt it matters.
It doesn't look like malware to me - Perhaps even a keyboard issue causing IE to open? After all, it is not opening to ads, but to home page.
Have you tried different Keyboard?Also, try installing Firefox and seeing if the problem continues.
Cheers :)
PP
karg
0
Newbie Poster
thanks a million for getting back to me, really hard to get into this between all the pages flying up - can't believe i got this much to run! So many people have looked at it now I've given up hope! Do the logs say anthing interesting?
top10ufo
0
Newbie Poster
thanks a million for getting back to me, really hard to get into this between all the pages flying up - can't believe i got this much to run! So many people have looked at it now I've given up hope! Do the logs say anthing interesting?
Also try to simply reset IE to default to remove any bogus add-ons, etc.:
Tools --> Internet Options --> Advanced tab --> click "Reset" at the bottom
karg
0
Newbie Poster
Thanks so much for response, I think at this stage everything and anything has been run through it. There was a virus on it last year. here are some names TEL.XLS.EXE-229E3E7.pf TEL.XLS-3522AB20.pf Malware name WIN32:VB-BBA [Trj]. This is when it all started about july 2008 - in the middle of my thesis. I was thinking along the same lines that it must be hardware as - like you say its only bringing me to my homepage. When I uninstall IE and FF it does the same with windows explorer. One guy I brought it to disconnected the wireless internet buttin, thought that had something to do it. I've reinstalled the OS several times and one guy put his stuff onto it instead oof using my disc - but still the same thing...
Actually its calmed down for the moment as I am now back on firefox - but this happened before and it could go mad again any second. Up tp 80 or more pages fly up at a time.
Really do appreciate all the advise
karg
0
Newbie Poster
So it is Malware - what can I do - I am a bit of an ejit when it comes too this stuff and so many people have fiddled with it, its a mess. Can you please help ...
PhilliePhan
171
Central Scrutinizer
Team Colleague
Unless you feel you have more experience than I do, please keep your advise to yourself.
Then don't give bad advice regarding System Restore and ComboFix.
BTW:
ComboFix 09-08-29.01 - KristinG 29/08/2009 21:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.446.184 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!)
Show me.
and just installing Firefox is not a problem solver if Windows security updates are not applied and up to date.
Didn't say it was a "solution." Just a part of the diagnostic process - to see if problem still occurs, and if it doesn't, at least the poster will have a working browser with which to carry out further steps.
Did you read the first post before immediately having the poster run ComboFix improperly?
I have had people look at re-formatted the harddrive several times and nothing. Have tries God knows how many spyware/malware remover, anyi virus etc.
Not a lot of malware survives multiple re-formats . . . LOL!
karg
0
Newbie Poster
It's behaving itself at the moment (for the last 10 minutes - first time Ive been able to do anything in a year! Is this any help - I ran an Avast cleaner and it was unable to look at these files C:\window\system32\catroot2\edb:log and same main name with \tmp.edb and temp\zlt00d58.tmp. Probably did wrong but tried to delete and said it was in use by another program or user.
NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.
Frankly, running combofix at this stage (and improperly at that) is not called for.
However, in this case I doubt it matters.
It doesn't look like malware to me - Perhaps even a keyboard issue causing IE to open? After all, it is not opening to ads, but to home page.
Have you tried different Keyboard?Also, try installing Firefox and seeing if the problem continues.
Cheers :)
PPEDIT: Try banging on Ctrl + N ( the IE shortcut to open new window) to make sure they are not sticking......
top10ufo
0
Newbie Poster
Most malware will just copy itself back into the registry and the file location from system restore (the system volume folder) when deleted. Therefore, not disabling System Restore beforehand makes about as much sense as pissing in the wind. Antivrus manufacturers such as Symantec will tell you this a well.
Then don't give bad advice regarding System Restore and ComboFix.
BTW:
ComboFix 09-08-29.01 - KristinG 29/08/2009 21:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.446.184 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Show me.Didn't say it was a "solution." Just a part of the diagnostic process - to see if problem still occurs, and if it doesn't, at least the poster will have a working browser with which to carry out further steps.
Did you read the first post before immediately having the poster run ComboFix improperly?Not a lot of malware survives multiple re-formats . . . LOL!
PhilliePhan
171
Central Scrutinizer
Team Colleague
It's behaving itself at the moment (for the last 10 minutes - first time Ive been able to do anything in a year! Is this any help - I ran an Avast cleaner and it was unable to look at these files C:\window\system32\catroot2\edb:log and same main name with \tmp.edb and temp\zlt00d58.tmp. Probably did wrong but tried to delete and said it was in use by another program or user.
No worries there - Don't try to delete those.
Honestly, I do not think this is malware. Unless it is something you reinstalled after re-formatting.
I do not see anything in the logs you provided - will wait for top10ufo to show me what I missed, if indeed that is the case.
--Did you say that the problem happens with Both browsers?
--Did you try the keyboard shortcut I mentioned - see if sticking?
Gotta run - I imagine one of the other regular posters will weigh in soon.
Best Luck :)
PP
PhilliePhan
171
Central Scrutinizer
Team Colleague
Most malware will just copy itself back into the registry and the file location from system restore (the system volume folder) when deleted. Therefore, not disabling System Restore beforehand makes about as much sense as pissing in the wind. Antivrus manufacturers such as Symantec will tell you this a well.
Gawd that is wrong in multiple ways - plus not applicable here after multiple formats.....
Google this: An infected restore point is better than none at all.
We flush System Restore AFTER cleaning a machine.
The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!)
Still waiting for you to show me the malware in the Combofix log. Either that or an apology would be nice.
Cheers :)
top10ufo
0
Newbie Poster
You obviously have no idea what you are talking about and are a typical "Google Tech" meaning you can fix it because you were able to find it on Google.
I am the level of tech that POSTS the solutions for people like you to make yourselves appear knowledgeable by fixing a problem from a solution you found rather than finding the solution using your own knowledge.
I am not going to continue this dick measuring contest with you...
Gawd that is wrong in multiple ways - plus not applicable here after multiple formats.....
Google this: An infected restore point is better than none at all.
We flush System Restore AFTER cleaning a machine.
Still waiting for you to show me the malware in the Combofix log. Either that or an apology would be nice.
Cheers :)
karg
0
Newbie Poster
Hi folks turned off the firewall - can't get AGV to turn off here's latest combofix. Thanks again, k
ComboFix 09-08-29.01 - KristinG 29/08/2009 23:35.2.1 - NTFSx86
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.
2009-08-29 22:33 . 2008-12-18 10:23 641304 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-29 22:33 . 2008-12-18 10:23 1082624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-29 22:33 . 2008-12-18 10:23 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-29 22:33 . 2008-12-18 10:23 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-29 20:36 . 2009-08-29 20:36 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 22:33 . 2008-12-18 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-23 20:45 . 2009-07-23 20:45 12328 ----a-w- c:\documents and settings\KristinG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-08-29_21.02.28 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-18 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-10-04 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-07-05 544768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-18 10:23 10520 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/18/2008 11:23 AM 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/18/2008 11:23 AM 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/18/2008 11:23 AM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/18/2008 11:23 AM 76040]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BITS
.
.
------- Supplementary Scan -------
.
TCP: {52616A7E-F60E-4D84-901E-36053023D890} = 62.40.32.33 62.40.32.34
FF - ProfilePath - c:\documents and settings\KristinG\Application Data\Mozilla\Firefox\Profiles\9qmgfj7c.default\
FF - prefs.js: browser.startup.homepage - www.google.ie
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 23:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-08-29 23:42
ComboFix-quarantined-files.txt 2009-08-29 22:42
ComboFix2.txt 2009-08-29 21:04
Pre-Run: 34,877,386,752 bytes free
Post-Run: 34,832,748,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
142
top10ufo
0
Newbie Poster
Definitely don't turn off your firewall. Just the AVG on access scanner. The on access scanner needs to be disabled or it can disallow ComboFix from doing it's job.
Have you tried booting in Safe Mode w/ networking support to see if the problem exists in Safe Mode as well (to rule out hardware device drivers)?
Hi folks turned off the firewall - can't get AGV to turn off here's latest combofix. Thanks again, k
ComboFix 09-08-29.01 - KristinG 29/08/2009 23:35.2.1 - NTFSx86
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.2009-08-29 22:33 . 2008-12-18 10:23 641304 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-29 22:33 . 2008-12-18 10:23 1082624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-29 22:33 . 2008-12-18 10:23 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-29 22:33 . 2008-12-18 10:23 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-29 20:36 . 2009-08-29 20:36 -------- d-----w- c:\program files\Trend Micro.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 22:33 . 2008-12-18 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-23 20:45 . 2009-07-23 20:45 12328 ----a-w- c:\documents and settings\KristinG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((( SnapShot@2009-08-29_21.02.28 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-18 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-10-04 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-31 163840]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-07-05 544768][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-18 10:23 10520 ----a-w- c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/18/2008 11:23 AM 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/18/2008 11:23 AM 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/18/2008 11:23 AM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/18/2008 11:23 AM 76040]--- Other Services/Drivers In Memory ---
*NewlyCreated* - BITS
.
.
------- Supplementary Scan -------
.
TCP: {52616A7E-F60E-4D84-901E-36053023D890} = 62.40.32.33 62.40.32.34
FF - ProfilePath - c:\documents and settings\KristinG\Application Data\Mozilla\Firefox\Profiles\9qmgfj7c.default\
FF - prefs.js: browser.startup.homepage - www.google.ie---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 23:39
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\avgrsstx.dll- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-08-29 23:42
ComboFix-quarantined-files.txt 2009-08-29 22:42
ComboFix2.txt 2009-08-29 21:04Pre-Run: 34,877,386,752 bytes free
Post-Run: 34,832,748,544 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect142
karg
0
Newbie Poster
I've tried safe mode and the same thing happens... I'll have to figure out how to get this flippin AVG off - or uninstall it or something.
funny thing is, it hasn't happened for over an hour now. The only things I did were to get the avast cleaner - found nothing, download forefox again, tried to delete the files that it wouldnt let me delte, can't understand it and am sure the problem is still there... this happened before with some guy i brought it too, it behaved itself for a few hours and then started again.
What you saw in the combofix files - can you tell if that is the remnants of the virus i mentioned or is it a different one?
Definitely don't turn off your firewall. Just the AVG on access scanner. The on access scanner needs to be disabled or it can disallow ComboFix from doing it's job.
Have you tried booting in Safe Mode w/ networking support to see if the problem exists in Safe Mode as well (to rule out hardware device drivers)?
PhilliePhan
171
Central Scrutinizer
Team Colleague
You obviously have no idea what you are talking about and are a typical "Google Tech" meaning you can fix it because you were able to find it on Google.
Wrong again - I'm sensing a theme.
When to Disable System Restore (as well as not forcing Safe Mode) has been discussed ad nauseum in all of the reputable security forums and frankly I have no interest in re-hashing it with you when so many examples already exist.
And yes, I used to tell people to disable system restore just as you do before I was taught that an infected point is better than none at all - if the cleaning process doesn't go well, you then have a "fall-back position" from which to try again.
Why do you think ComboFix and other repair tools set a restore point before running?
I am still waiting for you to show me that malware in the ComboFix log that I missed - What? Oh, you can't?
I thought not.
Cheers :)
karg
0
Newbie Poster
I must be totally thick tonight - could not find a way to get AVG off, diabled all the usual ways but when i ran combo said still on so i though ok i'll uninstall it but it won't... says the following:
Error action failed for registry key
HKLM\SOFTWARE\MICROSOFT\WINDOWSNT/CurrentVersion\Windows: creating regitry key...
Error 0x80070005
Totally lost at this stage...never been unable to uninstall an antivirus before...
top10ufo
0
Newbie Poster
When Combofix makes a restore point it is just making backups of the registry hives, this is not the same as what System Restore backs up.
Either way, an infected restore point is about as useful as no restore point.
From the log I noticed onex.dll (which deals with wireless) is attached to the explorer process and also ieframe.dll which I have seen malware attach itself to and cause similar weird issues.
I would suggest checking the system files to make sure they have not been compromised using the system file checker from a command prompt:
sfc /scannow
Wrong again - I'm sensing a theme.
When to Disable System Restore (as well as not forcing Safe Mode) has been discussed ad nauseum in all of the reputable security forums and frankly I have no interest in re-hashing it with you when so many examples already exist.
And yes, I used to tell people to disable system restore just as you do before I was taught that an infected point is better than none at all - if the cleaning process doesn't go well, you then have a "fall-back position" from which to try again.
Why do you think ComboFix and other repair tools set a restore point before running?I am still waiting for you to show me that malware in the ComboFix log that I missed - What? Oh, you can't?
I thought not.Cheers :)
top10ufo
0
Newbie Poster
Make sure you are logged in using an account that has administrator level access.
I must be totally thick tonight - could not find a way to get AVG off, diabled all the usual ways but when i ran combo said still on so i though ok i'll uninstall it but it won't... says the following:
Error action failed for registry key
HKLM\SOFTWARE\MICROSOFT\WINDOWSNT/CurrentVersion\Windows: creating regitry key...
Error 0x80070005Totally lost at this stage...never been unable to uninstall an antivirus before...
PhilliePhan
171
Central Scrutinizer
Team Colleague
What you saw in the combofix files - can you tell if that is the remnants of the virus i mentioned or is it a different one?
I'd like to know that as well - I didn't see anything.
@top10ufo:
I am not sure what you have the poster doing now or why you are doing it, so I will be happy to stay out of your way.
Unfortunately, some companies and advisors advocate disabling system restore *before* attempting a cleanup. This is dangerous advice. First, things can and do go wrong when attempting to remove malware. Second, the Restore Points may not be infected anyway. Third, any malware that may be in a Restore Point is harmless unless and until System Restore is used to restore a system to an earlier state, and that won't happen without direct user intervention.
Since you disdain Googling for knowledge, try this:
http://msmvps.com/blogs/spywaresucks/archive/2005/09/17/66724.aspx
Cheers :)
crunchie
990
Most Valuable Poster
Team Colleague
Featured Poster
The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!)
The combofix log is clean so I would advise you to stop casting aspersions on a valued member when you obviously have no idea what you are talking about.
If you do not know what you are doing, I will kindly ask you to keep out of the hijackthis forum and leave the logs to people who do know what they are doing.
crunchie
990
Most Valuable Poster
Team Colleague
Featured Poster
Before running ComboFix you should have turned of System Restore and disabled AVG Antivirus...
When giving advice to run Combofix, one should give instructions on how to do it.
Do not advise on it's use here please, as you apparently do not know how to use it.
crunchie
990
Most Valuable Poster
Team Colleague
Featured Poster
So it is Malware - what can I do - I am a bit of an ejit when it comes too this stuff and so many people have fiddled with it, its a mess. Can you please help ...
It may be, but the logs are not showing it. I would go with PhilliePhan's advice here rather than someone who has blown in.
crunchie
990
Most Valuable Poster
Team Colleague
Featured Poster
To the OP. When running Combofix it MUST be run from the desktop, so you may want to move it there.
top10ufo
0
Newbie Poster
I'm new to this forum and therefore I'm treated as if I'm new to the IT field? I came across this forum by accident and saw the thread and figured I would offer some assistance to someone in need.
Typical attitude for the senior jerks on a forum. Bash newbies and treat them as if they are idiots and know nothing and you are king. I'll leave it to all you part time tech wanna be's to handle. It seems to make you feel superior, so have at it...
The combofix log is clean so I would advise you to stop casting aspersions on a valued member when you obviously have no idea what you are talking about.
If you do not know what you are doing, I will kindly ask you to keep out of the hijackthis forum and leave the logs to people who do know what they are doing.
necrolin
94
Posting Whiz in Training
I have a problem with this post. When I started reading the post I saw something to the effect of IE opening itself up hundreds of times. This does sound like a virus. However, the poster mentions multiple formats. This is a problem.
A format deletes everything on the machine including viruses. If you had the machine formatted then when you booted it up it was clean. This means that either:
a) You're installing the virus after it's been formatted. It's possible. I had a client of mine who had a Windows "driver" which he downloaded from somewhere on the net for his hardware. It was a trojan that installed loads of poop onto his computer. So, to me if this is a virus then you need to take a really hard look at the software that you're using. Where are you getting the virus from? If it's survived multiple formats then YOU are putting it back on your computer. Even if you fix it there's a good chance it will come right back.
b) I haven't gone through the logs, but a few people have mentioned that your logs look clean. Reformatting would have cleaned up the viruses..... so what's left? Does your keyboard have a little button for launching a web browser? Someone else suggested that it could be a keyboard problem. If it's the keyboard then no amount of formatting will help you and/or virus hunting will kill you.
Just a few thoughts.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.