Asfwhide .. [SOLVED]

[Jamie67]

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{0F0B5025-2AF8-4709-A5B0-C6B3F1A96851} - (no file)

BHO-{97000D46-A412-4797-B2C2-0F806439A16D} - (no file)

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-04 16:19

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-637820123-104335020-2904324196-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(4036)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-04 16:21:10

ComboFix-quarantined-files.txt 2010-03-05 00:21

 

Pre-Run: 135,155,494,912 bytes free

Post-Run: 135,112,269,824 bytes free

 

- - End Of File - - D2B948F59E55A232518065C8A2276307

[evilfantasy]

Do you know what this is?

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdeFUN]

iifdeFUN.dll

[Jamie67]

no .. I have never seen it before ..

[Jamie67]

Evilfantasy .. I want to thank you for you're help .. But I have to log off now .. Grand-kids are here .. will check back in later for further instructions if you feel need done .. thanks again ..

[evilfantasy]

Evilfantasy .. I want to thank you for you're help .. But I have to log off now .. Grand-kids are here .. will check back in later for further instructions if you feel need done .. thanks again ..

 

Your welcome. I'll be around when you get a chance to continue.

 

 

Download OTM by OldTimer to your desktop.

 

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

 

* Save it to your Desktop.

* Double-click OTM.exe to run it.

* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

 

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdeFUN]

:files
c:\windows\Tasks\ParetoLogic Registration3.job
c:\windows\Tasks\ParetoLogic Update Version3.job
c:\program files\Common Files\ParetoLogic
c:\program files\Viewpoint

:Commands
[resethosts]
[purity]
[createrestorepoint]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

* Click the red Moveit! button.

* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

 

* Close OTM

 

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

 

----------

 

:idea: How is the computer running now? :idea:

 

.

[Jamie67]

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdeFUN\ deleted successfully.

========== FILES ==========

c:\windows\Tasks\ParetoLogic Registration3.job moved successfully.

c:\windows\Tasks\ParetoLogic Update Version3.job moved successfully.

c:\program files\Common Files\ParetoLogic\UUS3\Images folder moved successfully.

c:\program files\Common Files\ParetoLogic\UUS3 folder moved successfully.

c:\program files\Common Files\ParetoLogic folder moved successfully.

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents folder moved successfully.

c:\program files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents folder moved successfully.

c:\program files\Viewpoint\Viewpoint Experience Technology\Components folder moved successfully.

c:\program files\Viewpoint\Viewpoint Experience Technology folder moved successfully.

c:\program files\Viewpoint folder moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

Restore point Set: OTM Restore Point (64424509440)

 

[EMPTYTEMP]

 

User: Administrator

 

User: Administrator.YOUR-5BFDF7BC50

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: All Users

->Flash cache emptied: 36 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Flash cache emptied: 41044 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 49286 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

 

User: Owner

->Temp folder emptied: 673356 bytes

->Temporary Internet Files folder emptied: 46860 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 62773755 bytes

->Google Chrome cache emptied: 11225626 bytes

->Flash cache emptied: 1270 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33257 bytes

RecycleBin emptied: 367 bytes

 

Total Files Cleaned = 71.00 mb

 

 

OTM by OldTimer - Version 3.1.10.0 log created on 03042010_191151

 

Files moved on Reboot...

 

Registry entries deleted on Reboot...

[Jamie67]

Things are running great .. seems a lot faster and starts up much better ..

[evilfantasy]

If there are no more malware issues we can finish up now.

 

 

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

 

* Click START then RUN

* Now type Combofix /Uninstall in the runbox

* Make sure there's a space between Combofix and /Uninstall

* Then hit Enter.

 

The above procedure will:

* Delete: ComboFix and its associated files and folders.

* Reset the clock settings.

* Hide file extensions, if required.

* Hide System/Hidden files, if required.

* Set a new, clean Restore Point.

 

----------

 

1. Double click OTM to launch it.

Vista and Windows 7 users right click and choose Run As Administrator

2. Click on the CleanUp! button.

3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.

4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

5. When finished exit out of OTM.

 

----------

 

Use the Secunia Software Inspector to check for out of date software.

 

* Click Start Scanner

* Check the box next to Enable thorough system inspection.

* Click Start

* Allow the scan to finish and scroll down to see if any updates are needed.

* Update anything listed.

 

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.

* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Jamie67]

Will go threw the list you have left and complete all .. Thanks for you're help on this .. I know its hard to keep patients with some one new .. take care .. Jamie ..

[enoskype]

Great job evilfantasy.:-D

 

Jamie67, nice to know that your problems are solved.:smile:

 

 

Thank you and cheers.

[evilfantasy]

Thanks enoskype and your welcome Jamie67.

 

:-D

[Melvin_Deal]

Wow... even bits and pieces of Norton!!:-o Very informative, thanks Evilfantasy!! Way beyond me... I will study and learn!

 

A tremendous help on this forum.

 

-Mel

[evilfantasy]

Thanks Mel.

 

Setting at a computer and removing malware is easy for some people.

 

Setting at a computer and telling someone else to remove malware should be done cautiously!