help! IE error message & trojan

aliEnRIK

ok doki

Please run an online scan by Kaspersky (Needs to be run using internet explorer)
http://www.kaspersky.com/virusscanner

choccyface

how do i get back into internet explorer? every time i open something its with firefox. thanks

aliEnRIK

goto START and programs and internet explorer

choccyface

thanks!! just loading kaspersky now.

choccyface

ive run kaspersky on critical areas and my computer - got the same thing on them both:
Thursday, April 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 23:38:58
Records in database: 2023536

Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes
Scan area Critical Areas C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Elaine Ellison\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics Files scanned 63207 Threat name 1 Infected objects 1 Suspicious objects 0 Duration of the scan 01:45:14
File name Threat name Threats count C:\WINDOWS\Motive\btbb\UninstallHelper.exeInfected: not-a-virus:RiskTool.Win32.PsKill.11011

choccyface

how do I get my hotmail toolbar to appear on firefox? ie, so it shows me when ive got mail?
thanks

Reluctant_spender

Not sure about a specific hotmail toolbar but have a look at this add on which checks several web based e-mail accounts

https://addons.mozilla.org/en-US/firefox/addon/4490

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
C:\WINDOWS\Motive\btbb\UninstallHelper.exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

choccyface

ComboFix 09-04-04.01 - Elaine Ellison 2009-04-09 19:56:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1263.656 [GMT 1:00]
Running from: c:\documents and settings\Elaine Ellison\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elaine Ellison\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Motive\btbb\UninstallHelper.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Motive\btbb\UninstallHelper.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 19:54 . 2009-04-09 19:55 <DIR> d

---

C:\32788R22FWJFW
2009-04-09 19:54 . 2006-03-03 00:42 73,728 --a

---

C:\pv.exe
2009-04-09 09:59 . 2009-04-09 09:59 <DIR> d

---

c:\program files\Common Files\Adobe AIR
2009-04-09 09:41 . 2009-04-09 12:41 <DIR> d

---

c:\documents and settings\All Users\Application Data\NOS
2009-04-08 23:21 . 2009-04-09 12:41 <DIR> d--hs---- C:\RECYCLER(2)
2009-04-08 23:02 . 2009-04-09 12:41 <DIR> d

---

c:\documents and settings\Elaine Ellison\Tracing
2009-04-08 22:10 . 2009-04-08 22:10 <DIR> d

---

c:\program files\Microsoft Sync Framework
2009-04-08 22:10 . 2009-04-08 22:10 <DIR> d

---

c:\documents and settings\LocalService\IETldCache
2009-04-08 22:07 . 2009-04-08 22:07 <DIR> d

---

c:\program files\Microsoft
2009-04-08 21:59 . 2009-04-08 21:59 <DIR> d

---

c:\program files\Common Files\Windows Live
2009-04-08 08:24 . 2009-01-09 20:19 1,089,593

---

c--- c:\windows\system32\dllcache\ntprint.cat
2009-04-07 22:16 . 2009-04-06 15:32 38,496 --a

---

c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 22:16 . 2009-04-06 15:32 15,504 --a

---

c:\windows\system32\drivers\mbam.sys
2009-04-07 21:26 . 2009-04-07 21:26 <DIR> d

---

c:\windows\SxsCaPendDel
2009-04-07 21:26 . 2009-04-07 21:26 <DIR> d

---

C:\97ea6ab5fb461e1c08d7b1b7de09d7af
2009-04-07 20:49 . 2009-04-07 20:49 <DIR> d

---

c:\program files\Tall Emu
2009-04-07 20:49 . 2009-04-07 21:19 <DIR> d

---

c:\documents and settings\Elaine Ellison\Application Data\OnlineArmor
2009-04-07 20:48 . 2009-04-07 21:33 <DIR> d

---

c:\program files\a-squared Free
2009-04-07 19:33 . 2009-04-07 22:16 <DIR> d

---

c:\program files\Malwarebytes' Anti-Malware
2009-04-07 10:15 . 2009-04-07 21:25 <DIR> d

---

C:\1fb3f700cad73c801726d59b5f3cd81f
2009-04-07 10:14 . 2009-04-07 10:19 <DIR> d

---

C:\7152ffd9a40cc24ece4c
2009-04-04 22:11 . 2009-04-04 22:11 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-26 22:17 . 2009-03-26 22:17 <DIR> d--hs---- c:\documents and settings\Elaine Ellison\IECompatCache
2009-03-26 14:42 . 2009-03-26 14:42 <DIR> d--hs---- c:\documents and settings\Elaine Ellison\PrivacIE
2009-03-26 14:34 . 2009-03-26 14:34 <DIR> d--hs---- c:\documents and settings\Elaine Ellison\IETldCache
2009-03-26 14:30 . 2009-03-26 14:30 <DIR> d

---

c:\windows\ie8updates
2009-03-26 14:25 . 2009-03-26 14:27 <DIR> d--h-c--- c:\windows\ie8
2009-03-26 14:23 . 2009-02-28 05:55 105,984

---

c--- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 11:48

---

d

---

w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-09 11:41

---

d

---

w c:\program files\Windows Live Toolbar
2009-04-09 11:41

---

d

---

w c:\program files\Common Files\Adobe
2009-04-08 21:10

---

d

---

w c:\program files\Windows Live
2009-04-04 20:46

---

d

---

w c:\program files\Java
2009-03-26 13:42

---

d

---

w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-23 11:50

---

d

---

w c:\program files\Windows Live Safety Center
2009-03-09 04:19 410,984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 04:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 04:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 04:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 04:31 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 04:31 34,816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 04:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 19:08 266,240 ----a-w c:\windows\system32\CSHelper.exe
2009-03-03 19:08 225,280 ----a-w c:\windows\system32\CSInstru.DLL
2009-02-26 21:49

---

d

---

w c:\program files\Microsoft Silverlight
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-01 20:53 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2007-01-03 12:23 278,528 -c--a-w c:\program files\Common Files\FDEUnInstaller.exe
2005-08-08 23:00 0 -c--a-w c:\documents and settings\Elaine Ellison\Application Data\wklnhst.dat
2008-08-06 12:19 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-08_14.13.17.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-07 09:46:08 180,240 -c--a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-04-09 11:44:50 180,240 -c--a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-04-08 13:31:10 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-04-07 20:34:51 213,732 -c--a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-04-09 11:43:39 1,017,628 -c--a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-04-09 18:48:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"EPSON Stylus DX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-30 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 21:53 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CSCD"= camcodec.dll
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snapfish PictureMover.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
backup=c:\windows\pss\Snapfish PictureMover.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Elaine Ellison^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=c:\documents and settings\Elaine Ellison\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=c:\windows\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-03-19 11:33 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-03-19 11:37 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-05-07 10:49 536576 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-05-07 10:49 98304 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

choccyface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-03-03 266240]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2004-11-08 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2004-11-08 6100]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

2009-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar search
IE: &MSN Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: hotmail.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\https://www.update
Trusted Zone: msn.com\uk
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Elaine Ellison\Application Data\Mozilla\Firefox\Profiles\6nvefm57.default\
FF - prefs.js: browser.startup.homepage - https://www.yahoo.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 19:58:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-2178658854-705953815-2266963916-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-04-09 20:00:53
ComboFix-quarantined-files.txt 2009-04-09 19:00:45
ComboFix2.txt 2009-04-08 19:27:29
ComboFix3.txt 2009-04-08 13:15:16

Pre-Run: 19,221,340,160 bytes free
Post-Run: 19,370,074,112 bytes free

233 --- E O F --- 2009-04-08 08:23:48