Gizmo's Freeware Forum

Gizmo's Freeware Forum (https://www.techsupportalert.com/freeware-forum/)
-   General Computer Support (https://www.techsupportalert.com/freeware-forum/general-computer-support/)
-   -   cant keep mozilla foxfire why? (https://www.techsupportalert.com/freeware-forum/general-computer-support/9796-cant-keep-mozilla-foxfire-why.html)

placou 1968 12. May 2012 02:32 AM

cant keep mozilla foxfire why?
 
I recently downloaded mozilla and used the browser for about 2 weeks, (default set) worked just fine, turned on computer today, mozilla firefox browser was not there. i had been getting trojan and malware messages in hitman on the set up download, but not until after it was installed, now i have a new browser with "ask" as my search engine/homepage, it has never been my homepage, I have had the same homepage since 1997
http://i.imgur.com/fp0Ec.png?1
http://i.imgur.com/XenR7.png
I have tried to uninstall from add/remove programs, but i keep getting a message that says.....you must restart your computer to complete an upgrade of firefox. I havent tried to UPGRADE, and turning computer on and off does nothiing to help, can i somehow force an uninstall? how do you clean up behind it if i do get it uninstalled? I also noticed some shortcuts dont work, and under their properties they have been given different (target/paths?)
xp home, sp3, mse, mbam, hitman. updated daily, and now nothing is being picked up as a ware/virus/trojan but where is my browser?

placou 1968 12. May 2012 02:34 AM

im sorry about the large images, i thought they were cropped but i guess not, sorry again

MidnightCowboy 12. May 2012 06:53 AM

This looks very much like your browser has been hijacked by another application. If you've been using it as stated for two weeks then the code responsible would likely not have been in your PC already, but have been picked up from somewhere else.

I would suggest three things:

First, install the WOT (Web Of Trust) browser extension and only open sites with a "green" rating. Better still (my personal opinion only :)) replace Google with the DuckDuckGo search engine and enable WOT icons from the settings panel.

Second, change your DNS settings to use Norton's service. This will also advise you about potentially dangerous sites.

Lastly, install WinPatrol. This is a lightweight HIPS program which will run quite happily alongside other security software and will warn you about Ask and other browser addons should these be included with any other software you might want to install.

The usual practice of only sourcing program downloads from reputable sources also applies, and scanning them via VirusTotal too is worth the extra trouble.

http://www.mywot.com/
https://duckduckgo.com/
http://setup.nortondns.com/
http://www.winpatrol.com/
https://www.virustotal.com/

If you need assistance with any of the above, please ask.

George.J 12. May 2012 07:14 AM

Placou you have downloaded the software from Soft32.com, and they imposes their own download manager for downloading certain softwares.

Firefox by default in Soft32 database doesn't download through their download manager. So there's a chance that you have manually installed Soft32 Download manager on your system.
  1. I advice you to uninstall this download manager using Add/Remove Programs in the Control Panel or use Revo Uninstaller. Read edit portion at the bottom
  1. Then download CCleaner and clean all your temp files by clicking "Run Cleaner".
  1. I also advice you to download MalwareBytes Anti-Malware and update the program and run a quick scan of your system. Post the log file generated in this thread.
  1. Also download HijackThis, accept the licence agreement and click on "Do a system scan and save a log file" and upload the log file generated in this thread.

Warning: Do not attempt to fix any errors or click any other buttons on its interface while using HijackThis.

This is because the download manager recommends you to download & install other programs during the time you are downloading a software from their database. So you might have forgot to uncheck the option to install Ask Toolbar in their download manager.

If you are a newbie I advice you that, when you are downloading & installing programs on your system, please check all the checkboxes, because if you are not doing so, you are inviting crapware to be installed on the system. Also I recommend you to ignore Soft32 for downloading programs and use alternative sites like Softpedia, SnapFiles, FileHippo, MajorGeeks etc. If you would like to monitor any changes made by the software on your system you can download and install WinPatrol

Edit: After a thought, I wonder if Soft32 actually installs their Download manager on your system. I believe the download manager only appears during the time when you download and install a software from their databse on your system. But I don't believe to what extent Soft32 Downloader cleans itself up after downloading & installing a software. In that case, you may just uninstall Soft32 updater if you have installed it on your system, if not skip step1

According to VirusTotal Reports, 5/42 antiviruses swear by their heuristic engine (not through definition files) that Soft32 updater is a generic virus.

George.J 12. May 2012 08:29 AM

Allright, so I just checked about Soft32 Download manager by downloading a software from Soft32.com using their download manager. As far as I can see, the download manager doesn't install on the system but only runs during the time when you download the software (similar to CNET download manager). Sadly it doesn't clean up fully after installation. There are traces left behind in the Temp, Temporary Internet Files, Application Data folder. So you may ignore step 1 that I have mentioned (of the 4 steps) , unless you have Soft32 Updater installed on the system and you may uninstall that. Then continue to step 2.

George.J 12. May 2012 09:34 AM

Quote:

Originally Posted by MidnightCowboy (Post 72323)
Better still (my personal opinion only :)) replace Google with the DuckDuckGo search engine and enable WOT icons from the settings panel.

And mine :)

Quote:

Originally Posted by MidnightCowboy (Post 72323)
Second, change your DNS settings to use Norton's service. This will also advise you about potentially dangerous sites.

I believe malware blocking of NortonDNS is better than the free version of OpenDNS which offers basic malware blocking.

Concerned User 12. May 2012 10:15 AM

That does look nasty. Hoping that you're logging in as a non admin user in Windows XP.

Hopefully, your problem is resolved. If you're not using sandboxie, go ahead and give it a try:)

MidnightCowboy 12. May 2012 10:25 AM

1 Attachment(s)
Quote:

Originally Posted by George.J (Post 72327)
And mine :)


I believe malware blocking of NortonDNS is better than the free version of OpenDNS which offers basic malware blocking.

According to my understanding OpenDNS has NO malware blocking feature in the free version. All you get is protection against known phishing sites unless you upgrade to their commercial plan. I have always disliked the way they market themselves in this area because everyone I speak to who uses OpenDNS (free) believes they do have malware protection.

Attachment 1179

George.J 12. May 2012 12:13 PM

Quote:

Originally Posted by MidnightCowboy (Post 72329)
According to my understanding OpenDNS has NO malware blocking feature in the free version. All you get is protection against known phishing sites unless you upgrade to their commercial plan. I have always disliked the way they market themselves in this area because everyone I speak to who uses OpenDNS (free) believes they do have malware protection.

Attachment 1179

OpenDNS basic and deluxe versions does have basic Botnet/Malware protection, that was responsible for blocking Conficker worm & Microsoft Zero day exploits. This basic malware protection blocks Internet bots and dangerous websites. Whereas "Malware site protection feature" (brand new and totally different from basic malware protection) is exclusive to the Enterprise version. It has been promised that, this feature may be available for the deluxe and free versions over time.

MidnightCowboy 12. May 2012 12:43 PM

Quote:

Originally Posted by George.J (Post 72330)
OpenDNS basic and deluxe versions does have basic Botnet/Malware protection, that was responsible for blocking Conficker worm & Microsoft Zero day exploits. This basic malware protection blocks Internet bots and dangerous websites. Whereas "Malware site protection feature" (brand new and totally different from basic malware protection) is exclusive to the Enterprise version. It has been promised that, this feature may be available for the deluxe and free versions over time.

Are you able to provide a link to where you saw this information because I've not been able to confirm it and OpenDNS do not respond to my emails. :)

I'm aware they promote this on their site:

"OpenDNS owns and operates PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS incorporates PhishTank into its services to protect you from fraudulent websites that attempt to steal your personal information and money. In addition, OpenDNS provides protection against two of the most pervasive Internet security threats that continue to infect millions of users Conficker, the largest botnet, and Internet Explorer exploits".

... but this is not malware protection. Sure they guard against Conficker but so does every AV worth installing. I.E. exploit protection is also worth having for the diminishing numbers of IE users, but it still 'ain't malware protection as all of the OpenDNS users I've encountered believe they have.

placou 1968 13. May 2012 04:33 AM

I failed too mention that i had wot downloaded with firefox, and it was working just fine, but its gone also, like i was told im not going to do anything until i answer your questions and see if you guys can help me after you get the info needed.
also, mbam was a download and its updated daily also, its not catching anything,
i also recall removing the 2 check marks so "ask" would not become my homepage, when downloading firefox.

when i downloaded it the first (and only time) it to me to the soft32 download, and its the one that worked very well for about 2 weeks, thats what scares me.

any help sure would be appreciated, thanks in advance.

it should be noted that i turned my computer off for a couple days, it was fine then. when i turned it on i found this problem, thanks for all you guys do

i am not logging in as admin, just limited access, i learned that lesson the hard way.

yes i have and use sandboxie, just wasnt sure about downloading in a sandboxed environment, boxie and i are forever attached

google toolbar (i forgot the method) but i went to add/remove programs and removed google everything. i did this some time back

placou 1968 13. May 2012 05:45 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:00:05 PM, on 5/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Browser Defender\BDTUpdateService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Browser Defender\FGuard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHXPLRQJ\HijackThis[2].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.semo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll
R3 - URLSearchHook: Search Results Toolbar - {e5593220-bcaf-4b30-89fe-af988d0eacaa} - C:\Program Files\searchresults\toolbar2X.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\s wg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\Browser Defender\FGuard.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\RunOnce: [PM_reg] c:\windows\regedit.exe /s c:\sysprep\Nic_pm.reg
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1320621162968
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Browser Defender\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 7338 bytes

George.J 13. May 2012 07:03 AM

Placou thanks for providing furthur info. The downloader & updater is a only a generic virus detection by certain antiviruses. (that can be included in the class of suspicious files). It's not necessary that all antiviruses classify it was malware and hence a detection.

Glad to know you were using all safe practises like WOT, Sandboxie, Limited access Windows account and an anti-malware scanner. The reason that had caused this problem is sadly your sheer carelessness. As I told there's a high chance that Ask was installed from Soft32 downloader. Probably after unchecking both the checkboxes you might have clicked "Accept" button instead of "Decline". This is how Ask forges itself to make people think that you have to "Accept" this change to install the software on the system.

For example watch this screenshot: http://www.howtodownload.org/wp-cont...layer_pic7.png .

Now for the cleanup, we would like you to perform these, for furthur help. Close all other running programs before you run these tests.
  1. Fix these with HiJackThis – mark them, close IE, click fix checked

    R3 - URLSearchHook: Search Results Toolbar - {e5593220-bcaf-4b30-89fe-af988d0eacaa} - C:\Program Files\searchresults\toolbar2X.dll (file missing)

    O4 - HKLM\..\RunOnce: [PM_reg] c:\windows\regedit.exe /s c:\sysprep\Nic_pm.reg
  1. Click START->RUN->type in %temp%-> OK->Edit->Select all-> File->Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Empty the recycle bin

    Boot and post a new hijack log.
  1. Since we have hardly any time to analyze GMER log, download and run zip archive of Kaspersky
    TDSSKiller
    , run the exe file and note if you have any rootkits on your system.
  1. Uninstall Firefox completly from your system. Use this guide

placou 1968 13. May 2012 04:12 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:09:19 AM, on 5/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Browser Defender\BDTUpdateService.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Browser Defender\FGuard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.semo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\s wg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\Browser Defender\FGuard.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1320621162968
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Browser Defender\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 6674 bytes

placou 1968 13. May 2012 04:45 PM

the kaspersky tdsskiller is on my computer and has been for about a year, it has never found anything before, and in running it today it finds no detected problems in scanning 284 items. i dont know how to get a copy of the report saved to upload, and it wont let me copy paste...but it shows all ok.

i wasnt able to get mbam completed before this am to post with hijackthis, a full scan took about 6 hours.....and it found nothingbut its saved if i need to post it.

im still not doing anything to remove anything, (other than what you advise) im placing my trust in you guys, thanks again

George.J 13. May 2012 10:04 PM

Placou, it's not necessary that you should run full scan with MBAM. If you find any infections or suspicious objects during quick scan, only then you're required to perform full scan, as it may take hours to complete. Good to know that TDSS killer tests came out clean. I prefer GMER than TDSS killer, but in my busy schedule right now, it would be hard to find time to analyze the logs.

Seems like Ask had kissed goodbye from your system. Did you just say that you tried to remove Google toolbar. I guess it's not yet gone from your system.

Fix these items:
  • O8 - Extra context menu item: &Google Search - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsearch.html
  • O8 - Extra context menu item: &Translate English Word - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmwordtrans.html
  • O8 - Extra context menu item: Backward Links - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
  • O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmcache.html
  • O8 - Extra context menu item: Similar Pages - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsimilar.html
  • O8 - Extra context menu item: Translate Page into English - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmtrans.html

Are you using Chrome, Google Earth or other google related applications? If you do not wish to use the Google update service (I have disabled it because it stalls my pc sometimes) then you can delete these entries:
  • O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program
    Files\Google\Update\GoogleUpdate.exe
  • O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. -
    C:\Program Files\Google\Update\GoogleUpdate.exe
  • O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
    Files\Google\Common\Google Updater\GoogleUpdaterService.exe

You should be clean by now. Did you uninstall Firefox using the guide instructions I posted earlier. If so, you can download and install Firefox from Softpedia.

Anupam 14. May 2012 09:11 PM

Quote:

Originally Posted by placou 1968 (Post 72320)
I recently downloaded mozilla and used the browser for about 2 weeks, (default set) worked just fine

What do you mean by default set?

Quote:

Originally Posted by placou 1968 (Post 72320)
i had been getting trojan and malware messages in hitman on the set up download, but not until after it was installed

Did you scan with Hitman after you had downloaded the Firefox setup from Soft32, or after you had installed Firefox?

If you had scanned with Hitman after downloading the Firefox setup from Soft32, but before installing it... you should not have gone ahead with the installation.

Remember that any amount of security software will not prevent you from an infection, if you are not careful yourself, and do not follow safe practices.. or ignore alerts from the security software.

Ultimately, the safety of the PC depends on the user who uses the security software.

Quote:

Originally Posted by placou 1968 (Post 72320)
now i have a new browser with "ask" as my search engine/homepage, it has never been my homepage, I have had the same homepage since 1997
http://i.imgur.com/fp0Ec.png?1
http://i.imgur.com/XenR7.png

Most probably, Ask has been installed as search engine/homepage, because you missed it while installing a software on your computer.. or, you got confused by the options presented while installation... as some of these can be tricky.

You should always be careful while installing software on your computer, and the process should be done slowly, paying attention to each and every screen.. because nowadays many software, even the free ones, are bundled with extra software. Often, some of them can present confusing screens, to lure the user into installing the bundled software.

Was Ask presented to you while installing Firefox via the Soft32 downloader? If not, it must have been installed with any other software that you installed recently.

I would also like to ask, why did you decided to download Firefox from Soft32? How did you even come across Soft32?

Because I tried searching for the terms "Firefox", "Mozilla Firefox" on Google, and Soft32 does not come up in the results for 2-3 pages. So, how come you downloaded from Soft32?

You should take care as to where you download any software from. First preference should always be given to the home site of the software. That's where you will find the latest version of the software.

Sometimes, the official download of a software from their site will lead to a download site. That's fine. Most of them are reputable download sites. Still, even reputed sites like Download.com have started to offer their own downloader. So, Download.com should be avoided.

If you have to download from another download site, then make sure you download from a reputed one. George.J in his post has mentioned these reputed sites. These were also mentioned in another thread earlier by myself, although without any links.

I am perplexed as to why you decided to download from Soft32.

You say that Firefox is not there. However, in the second screenshot that you posted, shortcut of Firefox is visible on the desktop. Or, was that screenshot taken before the problem? Is that the case?

I notice that the icon of Firefox appears to be changed, and is black, which is not the original icon of Firefox. Had you changed that? Or, it got changed somehow, and you haven't noticed it?

So, what's the case... is Firefox shortcut icon still on desktop?

If that black Firefox icon is there, clicking on it starts Firefox?

Quote:

Originally Posted by placou 1968 (Post 72320)
I also noticed some shortcuts dont work, and under their properties they have been given different (target/paths?)

Can you post about some of the shortcuts that do not work? Please post their name, and also post their target path which appears to be changed. That can give an idea to the problem.

Had you installed any software in the past few days, which might have caused this problem? Or, performed any scan with a security software... and had tried to fix the problems that it had found?
That might be the reason behind the shortcuts not working, or Firefox not being there on the system.

Unless a change has been made to the system in some way, its weird that suddenly some day, you start the system, and Firefox is not there. Certainly some change has taken place somehow. Try to remember what you did or installed in the past few days.

Were you running Firefox sandboxed all these days?

Anupam 14. May 2012 09:17 PM

I would also recommend to you, to take some time, and read and understand these articles, and follow the safe practices provided in them. Take your own time to go through them, but do read them once.

It's not necessary to follow all the advices in the articles, but please follow whatever you can.

http://www.techsupportalert.com/safe-surfing.php

http://www.techsupportalert.com/cont...under-hour.htm

http://www.techsupportalert.com/cont...-malicious.htm

http://www.techsupportalert.com/how-...re-your-pc.php

http://www.techsupportalert.com/cont...r-infected.htm

http://www.techsupportalert.com/cont...e-online.htm-0

Don't be overwhelmed by the number of the articles above. But, read them whenever you can.

Browsing while sandboxed will keep you safe for most part.

Be careful of where you download from, what you download, and during the installation process.

George.J 15. May 2012 12:24 AM

Placou, I can also see that you have turned on your Indexing Service on Windows XP. Are you sure you really want to use this feature, if you normally do not spend a great deal of time searching for your files or for strings of texts within these files? If you don't search very often, I guess it's not a good idea to devote your system services for speeding up a service that you really do not want. Because by disabling the indexing service you'll save a great deal of processor resources and RAM on Windows XP. But if it doesn't bother you, feel free to keep the service. You may choose to disable the service, only in case you find your computer is slower and procesor usage is erratic at times, and you don't search very often.

Here's a tutorial of the symtoms and how to turn off Indexing Service from Microsoft.:
Windows XP may run slowly and you may see multiple symptoms in Windows Task Manager

placou 1968 15. May 2012 02:52 PM

in response to Anupam, I dont know how i was directed to soft32, i noted we had discussed that in a different post a week, or two ago. I dont recall why, but i had a screen shot that showed soft32 from back then.
I have not intentionally went there, i think I typed in a seach engine, Mozilla foxfire browser (its been a while, im not sure) and i was taken to a site that was mostly orange, i think a woman and a dog were on the page, the (icon) i associate with mozilla was there and a download button.
1. I downloaded it, setup or installation of it was placed on desk top in form of an icon of a kid.
2. i began the installation , everything worked fine upon completion, i used it as i thought was proper, no knowingly bad sites..etc.
3. the icon started out as an orange round ball ?, type looking as if it was rolling indicating fast i suppose. I do know it to be the icon related to that product.
4. the other icons remain the same, but when you r. click properties i would find "for instance" target/paths were not correct it might say, c/programs/guest/documents/mozillafoxfire.exe, when you were looking at properties for say "imgur" (what i described is an example only, not specific) i knew that was a problem and i came here, not knowing what kind of problem.
5. the different icon appeared after turning on computer from a 3 day on purpose shutdown, and i had no mozilla firefox browser, just the icon that had changed, and i dont recall where the target and path were pointed, but it wasnt there.
6. i did not try the other icons to see if they worked, knew they wouldnt at time and didnt know what that would cause in computer.
7.hitman only caught it after installation was complete, i scanned the installation icon and contents with mbam, mse but hitman was the only one that caught it.
8. SPECULATION ONLY, maybe hitman uploaded the captures, made a determination and removed the items? its set to ask before doing, but i dont know if that is a constant, i dont catch much with it
9. ASK was offered at the time of download firefox

i DID hit the wrong button after unchecking the ASK toolbar questions that was provided, and right you are, i read it twice, and im able to comprehend well, but i did hit the wrong button.

The good news is...after following the instructions of "george' to the letter, and taking my time to do it as correctly as possible and when i finished, I called my ISP, (and there a company every living being in the world has heard of) under remote connection i was told this, "from the screen shots, and the cleanup you have done, you could work here, theres not a trace left that i can find, i notice we use the same tools so that helped also" thats a compliment back to "george", and I thank very much as well, but i cant take your credit.
in the address bar i typed, www.MozillaFirefox.com....it tool me to (below)
http://www.mozilla.org/en-US/firefox...rom=getfirefox
thats where i started from, all i did was hit download

placou 1968 15. May 2012 06:27 PM

http://i.imgur.com/ekraZl.jpg today, the 15th may, i decided to search my computer for soft32, i found 3 items, last modified in 2004, (i dont kno0w what that means, computer isnt that old). is there more to look for? and how do i remove these?

Anupam 15. May 2012 07:15 PM

Tssoft32 files do not seem to be Soft32 files.. so they should be best left alone.

As for your previous post.. I am seriously lost, because I can't make much out of it, and many things are just plain confusing.

First, I don't think we discussed Soft32 before, apart from this thread.. atleast I don't remember discussing it elsewhere. If we did, please direct me to that post/thread.

Quote:

Originally Posted by placou 1968 (Post 72378)
1. I downloaded it, setup or installation of it was placed on desk top in form of an icon of a kid.

That's confusing. According to the link that you posted at the end, it seems that you downloaded the setup from Mozilla Firefox homesite... but, above you say that the icon was in the form of a kid.

The setup icon of Firefox does not come in the form of a kid.

Whereas the setup of Firefox installer from Soft32, which in turn downloads the actual Firefox setup, does come in the form of icon of a kid, with glasses.

Quote:

Originally Posted by placou 1968 (Post 72378)
9. ASK was offered at the time of download firefox

Again, if you had downloaded the Firefox from its home site of www.mozilla.org ... the setup installation does not contain any third party, or extra bundled software at all. So, ASK could not have been offered at the time of download of Firefox.

Are you really certain that you downloaded Firefox from the Mozilla site? Because, according to what you describe, and from your screenshots.. it seems that you had in fact downloaded the Firefox setup from Soft32.

The Firefox setup downloaded from the Mozilla site, is in the name of "Firefox Setup 12.0" ... whereas in the screenshot from your first post ... Hitman Pro detects Soft32 in the setup named "Moz Firefox" ... which again seems to indicate that the setup was downloaded from Soft32.

So, what is the actual case?

Quote:

Originally Posted by placou 1968 (Post 72378)
4. the other icons remain the same, but when you r. click properties i would find "for instance" target/paths were not correct it might say, c/programs/guest/documents/mozillafoxfire.exe, when you were looking at properties for say "imgur" (what i described is an example only, not specific) i knew that was a problem and i came here, not knowing what kind of problem.

It's not clear what you are trying to say here. You have lost me.

If you want us to be able to help you... you have to be quite clear with what you write.. and it should be coherent. Also, you need to exactly answer what we ask.

I will again ask... which of the shortcuts were not correct? Please write their names, with their path against them.

Generally, installed programs on the computer, should be installed in C:\Program Files folder.

So, please, post the exact path which you find is incorrect. Please do not post the "for instance" path. We need exact things.

Quote:

Originally Posted by placou 1968 (Post 72378)
5. the different icon appeared after turning on computer from a 3 day on purpose shutdown, and i had no mozilla firefox browser, just the icon that had changed, and i dont recall where the target and path were pointed, but it wasnt there.

Well, a changed icon does not mean that the software is not there. According to the screenshot, I can see that the shortcut to Mozilla Firefox is there.. just the icon is changed.

I ask again, by clicking that shortcut, does Firefox start up? If yes, Firefox is still installed on your system.

And I cannot figure out how the icon can change when the computer was in shut down state. And why was it shut down "on purpose" for 3 days? Any particular reason behind it?

You say that your ISP often helps you providing remote assistance. Can it happen, that any member from the ISP accessed your computer without your knowledge, and changed things around? Just a possibility.. I am taking a guess.

Or maybe, someone else is able to use your computer via the remote assistance somehow. That can explain the change of the icon.

Quote:

Originally Posted by placou 1968 (Post 72378)
6. i did not try the other icons to see if they worked, knew they wouldnt at time and didnt know what that would cause in computer.

Again not clear what you are trying to say.

You did not try other icons? Just knew that they wouldn't? Were you taking a guess? It's a request, please post exact things, and not guesses, because otherwise it would be very difficult for us to help you at all.

Quote:

Originally Posted by placou 1968 (Post 72378)
8. SPECULATION ONLY, maybe hitman uploaded the captures, made a determination and removed the items? its set to ask before doing, but i dont know if that is a constant, i dont catch much with it

I had made that speculation too.. but it won't happen unless :

1. Hitman Pro is still in 30 days mode. If it has been installed beyond 30 days, it can only scan and find malware.. it cannot clean them.

2. If it did indeed clean up.. it will only mess with Firefox files, because it found an infection in them. But, if you downloaded from Mozilla site... or even Soft32 site, an infection in Firefox installed files should not be there.

It alerted about the Firefox setup from Soft32, which I guess is the downloader of Soft32 which downloaded the actual Firefox setup.. but even then, it should not clean the Firefox files after installation... as it detects trouble only with Soft32 installer.

So, Hitman Pro cannot be considered responsible for missing Firefox.

George.J 15. May 2012 09:04 PM

Quote:

Originally Posted by placou 1968 (Post 72384)
today, the 15th may, i decided to search my computer for soft32, i found 3 items, last modified in 2004, (i dont kno0w what that means, computer isnt that old). is there more to look for? and how do i remove these?

Placou do not attempt to delete those files. While tsssoft.ac_ files in your i386 folder are files copied from the installation disk by the manufacturer, the tsssoft.acm file is an audio compression file driver, that's important for playing video game sounds (especially for older games, for example Fallout Free on my PC uses .acm files).

Quote:

Originally Posted by placou 1968 (Post 72378)
1. I downloaded it, setup or installation of it was placed on desk top in form of an icon of a kid.

That's the logo of Soft32.
Quote:

Originally Posted by placou 1968 (Post 72378)
2. i began the installation , everything worked fine upon completion, i used it as i thought was proper, no knowingly bad sites..etc.
3. the icon started out as an orange round ball ?, type looking as if it was rolling indicating fast i suppose. I do know it to be the icon related to that product.
4. the other icons remain the same, but when you r. click properties i would find "for instance" target/paths were not correct it might say, c/programs/guest/documents/mozillafoxfire.exe, when you were looking at properties for say "imgur" (what i described is an example only, not specific) i knew that was a problem and i came here, not knowing what kind of problem.

  • Allright so what happened here actually is that, as per '1' you first downloaded a setup file from Soft32 database. It is not the actual installation file of Firefox. This is actually the Soft32 downloader for downloading Firefox setup from Soft32 database. This Soft32 downloader icon has a boy with glasses and was placed on the desktop.
  • Now as per '2' and '3' you were not installing Firefox on your system. In '2' you were actually running the Soft32 downloader for downloading the "real" Firefox setup. In '3' you got the Firefox installer that has the stylised fox on fire around the world which is the "installer" file for installing Firefox, and it was not the Firefox icon after installation. This is why it's target path is set to c/programs/guest/documents/mozillafoxfire.exe, which is the default location for downloaded software from Soft32.
  • What you had to do now, is to "run" this installer to install Firefox onto the System at C:\Program Files. You never actually told that you ran "this" installer so that Firefox gets installed into the system. You only checked the shortcut paths and then posted your problem in this thread :)

Quote:

Originally Posted by placou 1968 (Post 72378)
5. the different icon appeared after turning on computer from a 3 day on purpose shutdown, and i had no mozilla firefox browser, just the icon that had changed, and i dont recall where the target and path were pointed, but it wasnt there.

errm.....actually I can answer this properly without furthur info, but what I believe is that one of your programs got replaced with "Mozilla Firefox" title. I cant deduce how it happened. It is this program that appears on your desktop as shortcut.
Quote:

Originally Posted by placou 1968 (Post 72378)
6. i did not try the other icons to see if they worked, knew they wouldnt at time and didnt know what that would cause in computer.

I thought you just said in your first post that many shortcuts had different paths and now you're mentioning that you didn't try anything? um...:confused:
Quote:

Originally Posted by placou 1968 (Post 72378)
7.hitman only caught it after installation was complete, i scanned the installation icon and contents with mbam, mse but hitman was the only one that caught it.
8. SPECULATION ONLY, maybe hitman uploaded the captures, made a determination and removed the items? its set to ask before doing, but i dont know if that is a constant, i dont catch much with it

The infection found by Hitman is a heuristic detection and not an actual infection. As I posted my VirusTotal results of a Soft32 downloader file in an earlier post, 5/42 antiviruses triggered a heuristic detection, which may not necessarily be an actual infection. This is why MBAM or other antiviruses doesn't trigger an infection for the same setup file.
Quote:

Originally Posted by placou 1968 (Post 72378)
9. ASK was offered at the time of download firefox

i DID hit the wrong button after unchecking the ASK toolbar questions that was provided, and right you are, i read it twice, and im able to comprehend well, but i did hit the wrong button.

So there you are. I hope you would be careful next time :)

Quote:

Originally Posted by placou 1968 (Post 72378)
The good news is...after following the instructions of "george' to the letter, and taking my time to do it as correctly as possible and when i finished, I called my ISP, (and there a company every living being in the world has heard of) under remote connection i was told this, "from the screen shots, and the cleanup you have done, you could work here, theres not a trace left that i can find, i notice we use the same tools so that helped also" thats a compliment back to "george", and I thank very much as well, but i cant take your credit.
in the address bar i typed, http://www.techsupportalert.com/free...efox.com....it tool me to (below)
http://www.mozilla.org/en-US/firefox...rom=getfirefox
thats where i started from, all i did was hit download

You're welcome. I don't think your computer was infected or hacked in the first place, you just got some confusion and also unknowingly installed the Ask toolbar. Luckily that saved me a great deal of time or otherwise we would have needed ComboFix to go through advanced processes. Glad to see that your PC is clean now. :rolleyes:

placou 1968 16. May 2012 02:50 PM

referencing back to the previous post in which we discussed soft32, its in this forum, thread title, "questions about possible antivirus change,' post #25. you had seen "softhelp", not "soft32" in address bar, and advised me it was not trustworthy. I dont know if softhelp and soft32 are related or not, but thats where i posted a capture of several warning/error messages, and captured a trojan...etc.
again, I have never heard of soft32, i have no idea how i wound up there. it was not intentional

Anupam 16. May 2012 05:40 PM

Softhelp and Soft32 are obviously different.

George.J 17. May 2012 06:48 PM

Placou, I guess we'll take our discussion to this thread, instead of fixes being recommended in private. First of all, I would like to advice you one thing. You should not receive tech repair from 2 different sources, because both of the parties will be recommending different tools and methods, this might lead to conflicts and you might not obtain the desired results. So either you should let your ISP, ATT to recommend fixes for you and follow it (since you're already paying for it), and then post back the results in the thread, or follow the advices being recommended here.

  • First all your log reports of TDSSKiller should be available in the C: directory. You may upload the logs in a notepad file attached to the thread. It's better than posting it directly on this thread. TDSSKiller doesn't remove any infections unless you specifically let it to do so. So there's no chance that the rootkits were removed during scanning procedure.
  • Secondly, is your wife's wireless PC and your's shared by any means? In that case if her PC is infected, there's a good reason that the rootkits might have got into your system, if the disks are shared with infected content, or even with the remotely connected computer. Because during the first time scanning that I had asked you to do, there was no rootkits were found as you told, but later TDSSKiller caught 4 of them. At any cost during the disinfection process, do not share your computer (except with your ISP whom you trust, I believe their system is not infected :D).
  • Thirdly, from the screenshots that you've sent me, about the hmpsched.exe error, it refers to an error in your Hitman Pro scheduler configuration, you may try re-installing the application. I don't think there's a need to report that error to Microsoft. Appcombat.txt is used for reporting errors to microsoft and contains the information about the problem. Reading the text file would let users with technical knowledge know what's the problem. It's not really important, but you can upload that file in this thread. You can find out the path to it from the 2nd screenshot. Are you sure you're running a legal copy of Windows?
  • Finally did you actually try to run Firefox browser and browse, after downloading it from Soft32 and installing it on your system? Because from your reports, I guess it's not yet installed on your system.

George.J 17. May 2012 07:10 PM

And finally when your ISP has finished diagnosing the PC, we will provide furthur support and certain scans you may want to run as adviced, with attached logs for observation.

placou 1968 20. May 2012 07:56 PM

copy from kaspersky
 
[InfectedObject]
Type: Service
Name: ATI Smart
Type: n/a (0x110)
Start: Auto (0x2)
ImagePath: C:\WINDOWS\system32\ati2sgag.exe

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\ati2sgag.exe
md5: 7970df1f4bef2ee5e3f88b66d470ccda



[InfectedObject]
Type: Service
Name: iaStor
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: SYSTEM32\DRIVERS\IASTOR.SYS

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
md5: 309c4d86d989fb1fcf64bd30dc81c51b


[InfectedObject]
Type: Service
Name: PrismXL
Type: n/a (0x110)
Start: Auto (0x2)
ImagePath: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
md5: 33d7285f12d934268a34206dfc4ad1b3

[InfectedObject]
Type: Service
Name: tap0901
Type: Kernel driver (0x1)
Start: Demand (0x3)
ImagePath: system32\DRIVERS\tap0901.sys

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\tap0901.sys
md5: 1e89de7a4fb7a854ebb241d0aa8996dd

George.J 21. May 2012 01:32 AM

Please post the TDSSKiller log in it's entirety. Go to C: directory and then upload it in full, or copy-paste it here.

placou 1968 21. May 2012 02:22 PM

have i found it?

http://i.imgur.com/hdSLi.jpg

placou 1968 21. May 2012 03:52 PM

why cant i upload or copy and paste the log that is needed for review?
the log i found makes reference to 13.05.2012_10.15.32
this is the numbers i noticed in the dat info i posted.
the same numbers are associated with the file in kaspersky tdsskiller quarantine that holds the captured info. but the log of the scan will not let me provided it to you by any methods i know.
copy and paste had to many characters, imgur wont allow it, now i can copy it, but when i try to paste that is not an option, just delete is option.

at bottom of log it shows no detections, but you have seen them and the date associated.

I allowed for a time difference and checked the day prior and after and nothing is shown detected

the log below is not the one, i was wrong about it.

placou 1968 21. May 2012 04:21 PM

hope its correct one, date,time corrosponding with captures
 
1 Attachment(s)
thanks i finally hope to have figured out how to get the info to you.
http://www.techsupportalert.com/free...1&d=1337613454

thanks for your patients, i have learned alot so far. in checking other logs of may, i find no mention of threats detected, but the posts have been seen by you, so i guess they exist in here somewhere if kasp. rt.kill doesnt remove.

also, i noted the date 13.05.2012_10.15.32 relates to the captures i listed, and also relates to the items in kasp. quarintine

George.J 22. May 2012 03:10 AM

As you said, there's no indicaton of your PC being infected with rootkits in the above scan log. No items are detected and none quarentined. Interestingly, the short log that you posted earlier had certain detections. From where did you attach that incomplete log.

In your C:\ directory, there should be numerous TDSSKiller logs, since you did scanning more than once. You may attach the other logs here, after zipping them into one file.

What did you do, after Hitman Pro detected threats as in the image you gave in the first post?

placou 1968 22. May 2012 07:04 AM

kasp. rtkit upload sent
 
C:\TDSSKiller_Quarantine\13.05.2012_10.15.zip should be the zip i uploaded if i did it right. there should be 4 items in quarantine, tsk0000...tsk0001....tsk0002....tsk0003. if i recall correctly, theres 3 folders in each,

the info you ask about in obtaining the short log, i went to run, typed C:\ TDSSKiller. many came up, i narrowed down the date, and sent cut copy paste part of log i thought was important. i was not able to send it all, it was to large. i did not consider zip folder at time, didnt know how then. the rootkit names all had ok by them in the big log, i will try to zip and forward.

hitman, i was using mozilla for possibly 2 weeks(?) I THINK before i ran hitman, when it detected, it was put in quarantine, and i made sure i had it set to stay for 1 month i believe, before removal. i was able to continue use of it. i left, turned my computer on a few days later and it was gone i came here for help then, as best i can recall. it was not in the time frame for hitman to remove it (1month)

i also noted catch me anti malware logs, i never seen them before, dont know how or why their there, are they of any value to you? i didnt open or mess with anything else.

placou 1968 22. May 2012 08:05 AM

http://www.techsupportalert.com/free...1&d=1337670275

i believe this to be the entire log

placou 1968 22. May 2012 08:13 AM

another log i found
 
1 Attachment(s)
this is in addition to....i located it in c

George.J 22. May 2012 09:33 AM

Allright, placou, I didn't check your log properly. I didn't know that you sent me 4 logs in one notepad file. I thought it was just one. So good news is that, all infected objects in TDSSKiller has been quarantined. The later logs shows no infections.

From your Emnisoft results, there was a spyware toolbar, I believe that was the Ask toolbar. Anyway, it has been deleted and removed from your System Restore folder. Also we used HijackThis to remove it before. Good.

I would like to ask you again. Did you actually run your Mozilla Firefox browser and you were able browse the web with it, atleast once?

Placou, I request you to update your version of Java installed on your computer. Your version is outdated. Make sure you uninstall the old version, after closing all your browsers, and then install the latest one, possibly after a reboot. Download is available here: http://java.com/en/download/index.jsp

Also, if you have your Windows XP disk, insert it and go to Start->Run->type cmd->type sfc/ scannow and wait till it finishes.

George.J 22. May 2012 09:53 AM

I also want you to download and run GMER, save the log file and upload it here.

If you havn't enabled Windows firewall, please enable it, or if you choose to install a new firewall, we have excellent recommendations here: http://www.techsupportalert.com/best-free-firewall.htm. Also turn on "Automatic updates" to keep your Windows updated.

You may also choose to analyse your startup programs, using one of these utilities here: http://www.techsupportalert.com/best...up-manager.htm . Lesser the number of programs that initialize on startup, your computer will work faster.
If you wish to, you can download and run Autoruns and save the log as .arn file and upload it here. This is only optional.

If you have any doubt please ask. :)

placou 1968 22. May 2012 02:48 PM

yes i did use the browser, i set it as my default browser. i likley used it 35-40 times, in 2 weeks. it worked fine for that time, actually it worked very well.

i will now attempt the other processes.

i have seen gmer in my computer before, i didnt put it here, but i have seen it.

placou 1968 23. May 2012 05:14 AM

gmer
 
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-22 23:13:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-16 WDC_WD1200BB-00RDA0 rev.20.00K20
Running: 173qzr63[1].exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxtdypob.sys


---- System - GMER 1.0.15 ----

Code F7C39C9C ZwRequestPort
Code F7C39D3C ZwRequestWaitReplyPort
Code F7C39BFC ZwTraceEvent
Code F7C39C9B NtRequestPort
Code F7C39D3B NtRequestWaitReplyPort
Code F7C39BFB NtTraceEvent

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


All times are GMT +1. The time now is 11:02 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.