PDA

View Full Version : SLIzone page hijacking Firefox on boot up



linzi
15-12-2010, 10:37 AM
As soon as I boot up my Firefox opens showing the following page.
http://www.slizone.com/page/home.html
I have never ever visited this site.. until now. I don't want to keep visiting it every morning.
I have deleted a prog, which must have installed itself, in Add/remove programmes, I have checked the registry for any references to SLIzone, I have run Spybot and AdAware. Now what?

I prefer a blank page for my browser startup, as I dont have to wait for it to load.

SP8's
15-12-2010, 10:45 AM
Suggest you post a Hijack This log and ask Speedy nicely if he can have a look at it for you.

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

GameJunkie
15-12-2010, 10:46 AM
start firefox in safemode, see if it opens that page open it.

Pancake
15-12-2010, 10:49 AM
This will fix it.You will have to download it using a thumb drive on another computer and then run it on yours .

Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Besttechie (http://www.besttechie.net/tools/mbam-setup.exe)


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

linzi
15-12-2010, 11:25 AM
Here is the entire report as requested,
pleased to have the items mentioned deleted
BUT
the problem still exists, and happened again on reboot.
-----------------------------------------------------------
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5314

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

15/12/2010 11:16:55 a.m.
mbam-log-2010-12-15 (11-16-55).txt

Scan type: Quick scan
Objects scanned: 145654
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Pamc\application data\registrysmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
c:\documents and settings\Pamc\application data\registrysmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
c:\documents and settings\Pamc\application data\registrysmart\registry backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
c:\downloads\dispwd.dll (PUP.PSWTool.Asterisk) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\asteriskie.exe (PUP.PSWTool.Asterisk) -> Quarantined and deleted successfully.
c:\WINDOWS\casino1.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Pamc\application data\registrysmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
c:\documents and settings\Pamc\application data\registrysmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
c:\documents and settings\Pamc\application data\registrysmart\registry backups\2007-06-03_22-20-28.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Pancake
15-12-2010, 11:31 AM
Looks as if its fixed....you should be fine now.

linzi
15-12-2010, 11:39 AM
Sp8s Where do I post the hijack log please? I have created it.

linzi
15-12-2010, 11:47 AM
Pancake

BUT................. but, but, but, but.................

It isn't fixed. I rebooted and exactly the same thing happened.

gary67
15-12-2010, 12:06 PM
Turn off system restore and run Pancakes stuff again as it will be hiding in the restore, once you have done that you can turn system restore back on

linzi
15-12-2010, 03:06 PM
I turned off system restore and ran a full in depth scan a la Pancake and still nothing.

Rebooted, and Firezone still starting on auto and hijack page still coming up.

Full scan as follows
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5314

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

15/12/2010 2:33:57 p.m.
mbam-log-2010-12-15 (14-33-57).txt

Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 357689
Time elapsed: 1 hour(s), 34 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Pancake
15-12-2010, 03:18 PM
Ok.Try this....

Download Combofix and place it on your desktop from Bleepingcomputer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Geekstogo (http://subs.geekstogo.com/ComboFix.exe)

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.

[color=red]
Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper

linzi
15-12-2010, 03:58 PM
TY for your help btw. much appreciated

Ok THIS time when Combofix rebooted it was IE that auto started [ ??? default browser changed??]

Combofix gave the following report

ComboFix 10-12-14.01 - Pamc 15/12/2010 15:32:48.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.424 [GMT 13:00]
Running from: c:\documents and settings\Pamc\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\desktop
c:\windows\desktop\Oamaru Convention\Oz 06.exe
c:\windows\system32\paqbonus.exe
c:\windows\system32\vnrqscnt.ini
c:\windows\system32\vwasbcvh.ini
c:\windows\system32\winping.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\documents and settings\Pamc\Application Data\Malwarebytes
2010-12-14 22:07 . 2010-11-29 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-14 22:07 . 2010-12-14 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-14 22:07 . 2010-11-29 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 22:47 . 2010-12-13 22:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FC88D84C-9AAA-4DCA-B544-2F808B2C6FE6}
2010-12-13 20:24 . 2010-12-13 20:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{F03307B7-E779-4F5E-A32E-9A73D8D6E0F2}
2010-12-13 02:58 . 2010-12-13 02:58 1409 ----a-w- c:\windows\QTFont.for
2010-12-12 22:09 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-12 21:55 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-12 21:55 . 2010-12-12 21:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-12 21:52 . 2010-12-12 21:52 -------- d-----w- c:\documents and settings\Pamc\Local Settings\Application Data\Sunbelt Software
2010-12-12 21:52 . 2010-12-12 21:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-12 21:51 . 2010-12-12 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-12 21:51 . 2010-12-12 21:52 -------- d-----w- c:\program files\Ad-Aware
2010-12-01 23:22 . 2010-12-01 23:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{13795121-80CF-4D45-9175-8FD79D18EF7E}
2010-11-21 22:23 . 2010-11-21 22:26 -------- d-----w- c:\documents and settings\Pamc\Application Data\KompoZer
2010-11-21 22:23 . 2010-11-21 22:23 -------- d-----w- C:\Komposer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-30 23:28 . 2009-08-30 23:28 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-08-30 23:28 . 2009-08-30 23:28 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-30 23:28 . 2009-08-30 23:28 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 2048000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"nwiz"="nwiz.exe" [2006-09-22 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-09-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-22 7618560]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-11-30 557056]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-07-12 1397760]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-22 38840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-19 328992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast5"="c:\progra~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Quick-Drop"="c:\program files\DVD MovieFactory 7\Corel DVD MovieFactory 7\Quick-Drop.exe" [2008-06-02 389264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

c:\documents and settings\Pamc\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Background Monitor.lnk - c:\program files\EPSON\ESM2\STMS.exe [1999-6-7 233984]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2002-09-30 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Pamc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPIO]
2005-04-14 06:22 704000 ----a-w- c:\program files\USB_HD\GPIOManager\GPIOManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-13 04:04 707376 ----a-w- c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"Genuine"=rundll32.exe "c:\windows\system32\hvcbsawv.dll",realset

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\CuteFTP\\cutftp32.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Pamc\\My Documents\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FotoFusionV4_mine\\collage.exe"=
"c:\\Program Files\\Deep Paint 3D\\Deep3D.exe"=
"c:\\WINDOWS\\system32\\ntvdm.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"59:TCP"= 59:TCP:DCC

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/12/2010 10:55 a.m. 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/04/2008 8:58 a.m. 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [3/04/2008 8:58 a.m. 17744]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Ad-Aware\AAWService.exe [3/12/2010 10:05 p.m. 1389400]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/01/2008 1:04 p.m. 2560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 8:19 p.m. 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2010-12-15 c:\windows\Tasks\SyncBackSE Backup Photos.job
- c:\program files\SyncBackSE\SyncBackSE.exe [2007-11-15 02:54]

2010-12-15 c:\windows\Tasks\SyncBackSE Pics.job
- c:\program files\SyncBackSE\SyncBackSE.exe [2007-11-15 02:54]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title =
uInternet Settings,ProxyOverride = *.local 127.0.0.1
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Pamc\Application Data\Mozilla\Firefox\Profiles\ldwkknq5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.co m
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

BHO-{474597C5-AB09-49d6-A4D5-2E8D7341384E} - c:\progra~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll
HKCU-Run-PowerBar - (no file)
HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
Notify-dimsntfy - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-DATAMNGR - c:\progra~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EX E
MSConfigStartUp-ICQ - c:\program files\ICQ7.2\ICQ.exe
AddRemove-iMesh MediaBar - c:\program files\iMesh Applications\MediaBar\uninstall.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D??????w???????????????wl?@?l? @????? ???????????g??w???w???????w???wx??????????w??????? ? ??????????????|x???0??????????????????w??????????? ?????<???,???P???????l?@?l?@????????w????t?@?????l?@?8?@ ?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1060284298-839522115-1004\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{D533C0C2-8944-1FD5-6911-F5AE644EB8B6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnhfpdbdphnbpfijehpjjhgkbikcfmaom"=hex:61,61,00,00
"bbnhfpdbdphnbpfijekpagecdndmjkneaafa"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A23C81 2-28A4-A3EF-EC599404379BDED8}\{EDDB7AE9-60BA-FC8B-2A36AEA66116E16E}\{30AFDBAC-89B1-0DCB-309A1919CB2D0BED}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{580924E 7-4534-80EF-AD4675C17646FF10}\{0EFB2AA0-1A3E-507D-F9B34D5CF29081CD}\{BBABFA65-B0A6-C96D-B621BCAFF6A8D6D6}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41,
bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D5E293 9-A5DB-D6BD-9F41807AA850BA06}\{A2236650-A135-615F-2FB3B5C141AE354B}\{89F48E34-795A-D0CC-A11D96A744FB88CA}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7089373 C-39A3-A5D7-72E0F9B1B1BA828D}\{72DE6895-E215-C85D-4F9099F65ABBB5F8}\{8DFB3C3E-A988-D036-8A13836ED250FFE4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41,
bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745 F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil 10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil1 0h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C9E2B39 3-56C9-49A0-E9536816E76F722D}\{C3EAC204-1FBE-55E0-B9FAECEF4AC48E44}\{36C3AF1D-C1DF-E2E1-C86849C42C7FDBDC}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,0c,79,41,
bb,23,20,82,6c,2c,7f,35,7b,4c,7d,69,0f,7e,58,2a,12 ,49,f3,57,a4,40,25,e6,b4,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \B13D8D0B1FD22FA0]
"1"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,f3,14,12,4f,01,36,44,
b9
"2"=hex:6c,c5,5b,f7,b0,9e,32,e3,03,c6,40,3c,f9,93,f0, a3,e0,80,50,c4,b1,40,2f,
48,ec,05,72,d0,e0,27,38,13
"3"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,88,0a,70,d8,2f,23,2d,
64,0e,4f,11,7b,2d,48,46,54,f2,60,49,21,f0,9e,bf,bb ,ce,a9,b7,33,0c,9b,44,72

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \B13D8D0B1FD22FA0\2E23F88730107CE6]
"1"=hex:a5,c9,74,ec,b1,20,d6,a1,09,fa,f5,4f,55,50,73, 85
"2"=hex:c2,16,dc,3c,cc,7d,65,bf
"3"=hex:7c,e6,56,5f,89,3f,15,74,19,26,ce,dc,3f,35,d9, 63,29,b1,a8,b1,58,a0,73,
a3,40,b6,de,fa,b1,85,a1,21,cd,84,2d,4d,79,56,2c,1f ,b6,44,31,6c,59,37,d8,c4,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7, 32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb ,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39, 3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9 ,d4,1a,3d,68,9d,00,32,20
"7"=hex:79,08,15,23,9e,4b,ad,44,85,c9,e9,3c,03,fe,d3, 3f,ce,c8,a9,1f,59,5f,3d,
24,37,04,40,4a,f4,30,65,d4,c0,58,80,e5,16,68,3a,98 ,2e,8c,39,a1,58,3c,47,ff,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4, c5,0f,4c,cc,a5,de,3d,e8,
28,eb,0d,1f,2f,e8,36,93,88,d5,3a,78,4f,81,66,7d,c8 ,40,7e,de,c3,55,ed,4f,45
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winso ck2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Avast5\AvastSvc.exe
c:\program files\EPSON\ESM2\eEBSVC.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Ad-Aware\AAWTray.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2010-12-15 15:51:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 02:51

Pre-Run: 17,135,808,512 bytes free
Post-Run: 17,056,813,056 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6F14D9B494B3B791A7E4443A071315B2

Pancake
15-12-2010, 06:24 PM
That is ok.I dont see any malware there now....how are things working ? You will need to reset to whatever browser you were using.

linzi
15-12-2010, 10:52 PM
Thank you very much for scanning my various log files, Pancake,
Much appreciated.

Sadly I now have Firefox back as my default browser, and after IE was doing the auto startup thing to that SLI page NOW it has reverted back to Firefox when I reset the default, so no the problem has not been solved and if you cant see anything malicious in the logs I am at a total loss.

I am even mire surprised when I see that it might appear that that SLI page is a technical centre of some kind? The only connection with NVidia I have is that my video drivers are as follows
NVIDIA GeForce 7300 GT [Display adapter]
HSD HU196D [Monitor] (19.1"vis, s/n 612GA0JCA8875, March 2006)

seems I have to live with this PAIN every time I boot up then?
siiiiiiiiiiggggggggggggghhhhhhhhhhhh :waughh:

Agent_24
16-12-2010, 12:44 AM
I doubt this is caused by malware since SLI Zone is a legitimate site run by nVidia.

I also see you have an nVidia graphics card. It's probably gotten stuck in your startup somehow after a driver update or something. (usually this kind of thing is designed to run once and then delete itself after the next reboot)

I would download Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902) and check that a link to that site is not in a startup section somewhere.. if it is, delete it.

linzi
16-12-2010, 09:01 AM
Well I don't know how you all did it, but you did...

:clap :clap :clap :clap

This morning on boot up............. LO and Behold NOTHING :)

Well done and a peaceful Christmas to you all

Pam

Pancake
16-12-2010, 10:13 AM
Ok.Glad its all working again.

linzi
18-12-2010, 10:23 AM
It's BACK

:badpc:

Pancake
18-12-2010, 10:53 AM
As far as I can find out SLIzone belongs to Nvidia so it looks like some configuration that needs fixing. Try asking at ... NVIDIA SLI Zone - http://www.slizone.com

linzi
09-02-2011, 09:16 AM
Nothing has changed. Still have Firefox opening automatically with the SLIzone page.
No reply from www.SLIzone.com
Am I stuck with this FOREVER?

8ftmetalhaed
09-02-2011, 10:10 AM
Try uninstalling your graphics drivers and seeing if that helps.
Then reinstall them of course.

zqwerty
09-02-2011, 10:22 AM
In Firefox, Tools/Options/General/When Firefox Starts - Show My Home Page/Set Home Page to Google or some-such/Ok out

8ftmetalhaed
09-02-2011, 10:52 AM
I thought this too when I read it, but I think his problem is that it's automatically starting his browser and opening the SLIzone page, rather than opening it as his homepage.

Then again, you never know hah.

zqwerty
09-02-2011, 11:02 AM
N.B. linzi probably girl not boy.

Agent_24
09-02-2011, 11:06 AM
Quite possible one of the nvidia things you installed added a startup of a program which loads slizone website.

Normally it would delete itself or something after the first run, but I guess for some reason it didn't.

I think you need to find whatever this program is and disable that.

Gobe1
09-02-2011, 11:08 AM
I have had a trojan i think was the same name vundo, i couldnt get rid of it i had to format.

gary67
09-02-2011, 11:42 AM
Try this in firefox

tools- options- advanced- network- settings

make sure no proxy is selected

linzi
11-02-2011, 11:32 AM
Thank you folks. I am unsure re uninstalling graphics drivers so have not done that

MY home page is set to be a blank as I cant be bothered waiting for stuff I don't need

There is nothing at all in my startup list that would appear connected to this.

linzi = girl

No proxy is already selected.

I have made EVERY effort to "find this programme" believe me.

What has Vundo got to do with this problem? I have had it a long while ago and removed it.

Ok so its not killing my computer, but it sure as heck is every annoying

Agent_24
11-02-2011, 11:41 AM
There is nothing at all in my startup list that would appear connected to this.

Did you have a look with Autoruns as I suggested before?