pop ups in firefox.

Bramp

Bramp

Member
I am getting pop ups in firefox that download crap to my computer.

I have scanned with:
Malwarebytes (found a couple trogins)
super anti spyware (found a trogin or two)
hijack this
ccleaner
spybot
ad aware (found a few trogins and a worm)
and the microsoft scanner.

problem still persists here is example of problem.
http://oi51.tinypic.com/sonvc2.jpg

Hijack Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:16 PM, on 11/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
G:\downloads\~PROTECTION~\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 1747 bytes




Malwarebytes Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5139

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/17/2010 3:14:35 PM
mbam-log-2010-11-17 (15-14-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 182154
Time elapsed: 38 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
 
I don't think I've seen a hijackthis log that small before.

However, looks like you may have some hidden infections. Please do the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
John, been 30 minutes since I ran combofix, problem seems to be gone so far. I will update if anything happens. Combofix seems to have done it though, so thanks. :)

Combofix Log:

ComboFix 10-11-17.02 - Owner 11/18/2010 8:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.774 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
D:\Autorun.inf

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-18 01:37 . 2010-11-18 01:37 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-18 01:37 . 2010-11-18 01:37 -------- d-----w- c:\program files\Trend Micro
2010-11-17 22:19 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-17 20:35 . 2010-11-17 20:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\program files\UltraMon
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\program files\Common Files\Realtime Soft
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2010-11-17 20:20 . 2010-11-17 20:20 -------- dc----w- c:\windows\system32\DRVSTORE
2010-11-17 20:20 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-17 20:20 . 2010-11-17 20:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-17 20:19 . 2010-11-17 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-17 20:19 . 2010-11-17 20:19 -------- d-----w- c:\program files\Lavasoft
2010-11-17 19:32 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 19:32 . 2010-11-17 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 19:32 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 18:52 . 2010-11-17 18:53 -------- d-----w- c:\documents and settings\Owner\Application Data\whitesmoketoolbar
2010-11-17 18:06 . 2010-11-17 18:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-17 18:05 . 2010-11-17 18:05 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-11-17 18:05 . 2010-11-17 18:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-17 18:04 . 2010-11-17 18:59 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-17 14:31 . 2010-11-17 14:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 13:00 . 2010-09-03 21:02 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2010-09-29 14:24 . 2010-09-29 14:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-29 14:24 . 2010-09-29 14:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 16:23 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-26 16:11 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-26 16:11 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-26 16:11 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-26 16:11 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-26 16:12 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-26 16:12 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-26 16:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-03 19:58 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-26 16:11 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2007-04-01 299520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-01-30 02:13 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-01-30 02:13 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 16:22 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 16:22 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UTSCSI"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/17/2010 3:20 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 6:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 6:56 AM 67656]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 6:56 AM 12872]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 2:46 AM 1375992]
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q9xhae8y.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 08:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,cf,4f,ab,5e,f6,54,4a,bd,72,a6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,cf,4f,ab,5e,f6,54,4a,bd,72,a6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-11-18 08:26:19
ComboFix-quarantined-files.txt 2010-11-18 13:26

Pre-Run: 33,998,786,560 bytes free
Post-Run: 34,236,235,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 32850033B0D8360E37715D9963CD8E42


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:52 AM, on 11/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\OEC\Trader 3.5\Trader.exe
G:\downloads\~PROTECTION~\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 2194 bytes
 
Looks like you had a keylogger and bootkit infection. Did by chance you install the keylogger yourself?

Other than that, the logs look good.
 
I dunno how I would have installed them myself I haven't installed anything in a long time. Maybe a inadvertently installed, but I don't know how that would be the case because, All I know is svchost.exe in task manager was suddenly eating a zillion computer cycles for about 20 mins, and that is when the problem started 2 days ago.

Been using the computer non stop since your recommended scans, and zero problems.

Thanks for your assistance John.. :good:

johnb35 said:
Looks like you had a keylogger and bootkit infection. Did by chance you install the keylogger yourself?

Other than that, the logs look good.
Click to expand...
 
Also just as a suggestion, install Ad-Block-Plus for Firefox. It blocks a lot of popups and sidebar ads that could install crap on your system.
 
UPDATE: Problem came back, I was not even using the computer. I walked away for 10 minutes when I came back svchost.exe was using up all the computer cycles again, just like last time. Firefox was open with yahoo front page on, and a chat program called Paltalk.com. So it probably came through one of these two portals. I ran combofix again and I believe it found the same bugs.

voyagerfan99; I will install Ad-Block-Plus for firefox as a preventive measure. btw captain Janeway is cool :good: LOL

I will also see if I can add a banner blocker for paltalk (it has banner ads that these bugs could be coming through. Ive had them blocked before, but I have recently reinstalled windows and never reapplied them. Not like I cant use this chat program either. I communicate with work recipients with it.

here is the new chat logs again.

Combofix

ComboFix 10-11-21.01 - Owner 11/21/2010 17:51:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.773 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2010-11-21 22:01 . 2010-11-21 22:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-18 01:37 . 2010-11-18 01:37 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-18 01:37 . 2010-11-18 01:37 -------- d-----w- c:\program files\Trend Micro
2010-11-17 22:19 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-17 20:35 . 2010-11-17 20:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\program files\UltraMon
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\program files\Common Files\Realtime Soft
2010-11-17 20:21 . 2010-11-17 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2010-11-17 20:20 . 2010-11-17 20:20 -------- dc----w- c:\windows\system32\DRVSTORE
2010-11-17 20:20 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-17 20:20 . 2010-11-17 20:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-17 20:19 . 2010-11-17 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-17 20:19 . 2010-11-17 20:19 -------- d-----w- c:\program files\Lavasoft
2010-11-17 19:32 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 19:32 . 2010-11-17 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 19:32 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 18:52 . 2010-11-17 18:53 -------- d-----w- c:\documents and settings\Owner\Application Data\whitesmoketoolbar
2010-11-17 18:06 . 2010-11-17 18:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-17 18:05 . 2010-11-17 18:05 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-11-17 18:05 . 2010-11-17 18:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-17 18:04 . 2010-11-17 18:59 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-17 14:31 . 2010-11-17 14:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 13:00 . 2010-09-03 21:02 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2010-09-29 14:24 . 2010-09-29 14:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-29 14:24 . 2010-09-29 14:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 16:23 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-26 16:11 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-26 16:11 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-26 16:11 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-26 16:11 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-26 16:12 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-26 16:12 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-26 16:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-03 19:58 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-18_13.24.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 22:51 . 2010-11-21 22:51 16384 c:\windows\Temp\Perflib_Perfdata_204.dat
+ 2004-08-26 18:10 . 2010-11-21 21:51 2248192 c:\windows\Installer\1324b.msi
- 2004-08-26 18:10 . 2010-11-17 19:03 2248192 c:\windows\Installer\1324b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-10-08 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2007-04-01 299520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-01-30 02:13 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-01-30 02:13 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 16:22 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 16:22 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UTSCSI"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/17/2010 3:20 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 6:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 6:56 AM 67656]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 6:56 AM 12872]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 2:46 AM 1375992]
.
Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q9xhae8y.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 17:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,cf,4f,ab,5e,f6,54,4a,bd,72,a6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,cf,4f,ab,5e,f6,54,4a,bd,72,a6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-11-21 17:59:16
ComboFix-quarantined-files.txt 2010-11-21 22:59
ComboFix2.txt 2010-11-18 13:26

Pre-Run: 34,972,798,976 bytes free
Post-Run: 35,025,641,472 bytes free

- - End Of File - - 0E771BFCDA454351859C591B73C02256


hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:51 PM, on 11/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
G:\downloads\~PROTECTION~\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 2274 bytes
 
You must log in or register to reply here.
Back
Top