BleepingComputer.com: google redirections

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

google redirections google redirects randomly

#1 User is offline   theG4FFA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 25-April 09

Posted 23 October 2009 - 10:13 PM

i created a topic already and i was told to post in the hjt forums. http://www.bleepingcomputer.com/forums/ind...p;#entry1469870

i managed to successfully run rootkit removal although dds did not work.

here is my rootkit log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/23 17:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS2\System32\Drivers\dump_atapi.sys
Address: 0xEC680000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS2\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DFE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS2\system32\drivers\rootrepeal.sys
Address: 0xED5BB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7732000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows2\temp\perflib_perfdata_154.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\JaZoN\Local Settings\Temp\~DF4397.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\JaZoN\Local Settings\Temp\~DF43B0.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\jazon\local settings\temp\rootrepstream_9cd85
Status: Allocation size mismatch (API: 1048576, Raw: 0)

Path: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\lue\downloads\norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip
Status: Size mismatch (API: 3076, Raw: 3086)

Path: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\lue\logs\log.lue
Status: Size mismatch (API: 719562, Raw: 693116)

Path: C:\Documents and Settings\Kym\Local Settings\Apps\2.0\2AZ695XC.61A\5D4B7H2T.E6T\manifests\Betfair Advantage Tool.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kym\Local Settings\Apps\2.0\2AZ695XC.61A\5D4B7H2T.E6T\manifests\Betfair Advantage Tool.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kym\Local Settings\Apps\2.0\2AZ695XC.61A\5D4B7H2T.E6T\manifests\Betfair Advantage Tool.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kym\Local Settings\Apps\2.0\2AZ695XC.61A\5D4B7H2T.E6T\manifests\Betfair Advantage Tool.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x860c3600

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x860e0860

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x863fc730

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8600ecd0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8655a0b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS2\system32\Drivers\SYMEVENT.SYS" at address 0xecd91130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85fd9e40

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x86405cc0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x863efd60

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x863ec4f8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS2\system32\Drivers\SYMEVENT.SYS" at address 0xecd913b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS2\system32\Drivers\SYMEVENT.SYS" at address 0xecd91910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x864628b8

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x863f2b70

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x860b8a40

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x860d44a8

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x865f8170

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8644ccc0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x860b6988

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86462bd8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85ffe6f8

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x864041d0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86462a48

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x860a87b8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x864cecd0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85ffebd8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8644c9a8

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8641bbf8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS2\system32\Drivers\SYMEVENT.SYS" at address 0xecd91b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85ff12d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x860055a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8641dcd0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x860366f8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8604f7f0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x863f2f00

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8603b990

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86004370

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85fea990

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8642e480

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x86680098

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86052f30

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x866709f0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85fb8748

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x866291a8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x86633118

==EOF==

garmanma pointed out that i had a a rootkit infection "Hooked by "C:\WINDOWS2\system32\Drivers\SYMEVENT.SYS" at address 0xecd91910"

thanks in advance to anyone that can help, i don't mind waiting as its just a bit annoying when i get redirected every now and then.

#2 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,697
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 31 October 2009 - 10:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

#3 User is offline   theG4FFA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 25-April 09

Posted 01 November 2009 - 02:21 AM

dds worked this time

dds.txt:


DDS (Ver_09-10-26.01) - NTFSx86
Run by JaZoN at 14:45:47.84 on Sun 01/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.456 [GMT 11:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS2\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\WINDOWS2\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS2\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JaZoN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Awesomeness Explorer
mWinlogon: Userinit=c:\windows2\system32\userinit.exe
mWinlogon: UIHost=%windir%\Resources\LogonUI\red-milkyway\logonui.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows2\system32\ctfmon.exe
uRun: [zHideWin] c:\program files\acehide free\AceHideFree.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows2\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows2\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows2\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [WellPhone DirectSync - ScheduleSync] c:\progra~1\wellph~2\SCHEDU~1.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows2\system32\CTFMON.EXE
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 3 (0x3)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240912448453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jazon\applic~1\mozilla\firefox\profiles\ppcklllp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.google.com.au/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q=
FF - component: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows2\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{B2708F34-C688-47BF-9F58-DBF700177E62}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows2\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows2\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows2\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091021.001\IDSXpx86.sys [2009-10-23 329080]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 cpuz132;cpuz132;c:\windows2\system32\drivers\cpuz132_x32.sys [2009-9-9 12672]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-9 117640]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-14 102448]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows2\system32\drivers\libusb0.sys [2009-7-9 28672]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;c:\windows2\system32\drivers\usb2vcom.sys [2009-10-21 28704]

=============== Created Last 30 ================

2009-10-30 06:43:48 0 d-----w- c:\program files\AutoHotkey
2009-10-30 06:36:54 5343 ----a-w- c:\documents and settings\jazon\.recently-used.xbel
2009-10-30 05:52:30 0 d-----w- c:\program files\Ferruh Mavituna
2009-10-30 05:00:59 44403 ----a-w- c:\documents and settings\jazon\logo.miff
2009-10-30 04:59:24 0 d-----w- c:\program files\ImageMagick-6.5.7-Q16
2009-10-27 08:17:56 0 d-----w- c:\docume~1\jazon\applic~1\PPTminimizer
2009-10-26 08:11:39 17664 -c--a-w- c:\windows2\system32\dllcache\sermouse.sys
2009-10-26 08:11:39 17664 ----a-w- c:\windows2\system32\drivers\sermouse.sys
2009-10-26 07:45:36 0 d-----w- c:\docume~1\jazon\applic~1\orpui
2009-10-25 06:31:02 90112 ----a-w- c:\windows2\system32\SaikeFrc.dll
2009-10-25 06:31:02 6016 ----a-w- c:\windows2\system32\drivers\xPADFL02.sys
2009-10-25 06:31:01 37088 ----a-w- c:\windows2\unins002.dat
2009-10-25 06:31:01 1063706 ----a-w- c:\windows2\unins002.exe
2009-10-23 06:40:04 69 ----a-w- c:\windows2\NeroDigital.ini
2009-10-21 20:57:05 0 d-----w- c:\docume~1\jazon\applic~1\SmartCom
2009-10-21 20:56:10 90112 ----a-w- c:\windows2\system32\STAPI.dll
2009-10-21 20:56:10 180224 ----a-w- c:\windows2\system32\WinObex.dll
2009-10-21 20:56:10 135168 ----a-w- c:\windows2\system32\XCSyncML.exe
2009-10-21 20:55:59 0 d-----w- c:\program files\WELLPHone1
2009-10-21 20:55:08 0 d-----w- c:\windows2\Compnts
2009-10-21 20:55:04 0 d-----w- c:\windows2\Multimedia
2009-10-21 20:55:02 0 d-----w- c:\windows2\Codecs
2009-10-21 20:55:00 69632 ----a-w- c:\windows2\SCBTExcl.dll
2009-10-21 20:54:59 0 d-----w- c:\windows2\Skins
2009-10-21 20:54:57 0 d-----w- c:\windows2\Profiles
2009-10-21 20:54:51 123392 ----a-w- c:\windows2\system32\dzip32.dll
2009-10-21 20:54:49 638976 ----a-w- c:\windows2\RTEDiag.exe
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\SH3_RTERapi.dll
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\MIPS_RTERapi.dll
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\ARM_RTERapi.dll
2009-10-21 20:54:49 4032 ----a-w- c:\windows2\MDMInst.exe
2009-10-21 20:54:49 331776 ----a-w- c:\windows2\GPRSDep.exe
2009-10-21 20:45:25 0 d-----w- c:\docume~1\jazon\applic~1\RTE
2009-10-21 09:31:48 28704 ----a-r- c:\windows2\system32\drivers\usb2vcom.sys
2009-10-21 09:21:38 0 d-----w- c:\program files\Silabs
2009-10-21 09:20:42 0 d-----w- c:\windows2\system32\Silabs
2009-10-21 09:20:38 0 d-----w- C:\SiLabs
2009-10-20 20:47:22 258352 ----a-w- c:\windows2\system32\unicows.dll
2009-10-20 20:47:16 24576 ----a-w- c:\windows2\system32\msxml3a.dll
2009-10-20 20:46:40 89088 ----a-w- c:\windows2\system32\atl71.dll
2009-10-20 20:46:28 9630 ----a-w- c:\windows2\RTE000.inf
2009-10-20 20:46:28 726955 ----a-w- c:\windows2\RTEGPRS.chm
2009-10-20 20:46:28 2252800 ----a-w- c:\windows2\RTEGPRS.exe
2009-10-20 20:39:31 5532 ----a-w- c:\windows2\system32\stdole.tlb
2009-10-20 20:06:57 0 d-----w- C:\WINDOWS22
2009-10-20 10:40:03 39036 ----a-w- c:\windows2\system32\drivers\lgusbmodem.sys
2009-10-20 10:40:03 38144 ----a-w- c:\windows2\system32\drivers\lgusbdiag.sys
2009-10-20 10:40:03 21344 ----a-w- c:\windows2\system32\drivers\lgusbbus.sys
2009-10-20 10:33:53 0 d-----w- c:\program files\LG Electronics
2009-10-20 09:53:32 4212 ----a-w- c:\windows2\Wininit.ini
2009-10-20 09:53:32 17620 ----a-w- c:\windows2\system32\drivers\SagemMSC.sys
2009-10-20 09:53:32 163840 ----a-w- c:\windows2\system32\SagRegClean_MSC.exe
2009-10-20 09:53:19 22159 ----a-w- c:\windows2\system\SagCom.vxd
2009-10-20 09:53:19 0 d-----w- c:\windows2\system\iosubsys
2009-10-19 05:44:22 0 d-----w- c:\documents and settings\jazon\DoctorWeb
2009-10-17 00:51:03 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-10-17 00:50:45 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 00:50:45 0 d-----w- c:\docume~1\jazon\applic~1\SUPERAntiSpyware.com
2009-10-17 00:50:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-14 01:21:23 42752 ------w- c:\windows2\system32\drivers\ser2pl.sys
2009-10-14 01:14:36 0 d-----w- c:\program files\SagemMSC
2009-10-13 12:18:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Nero
2009-10-05 08:33:35 0 d-----w- c:\docume~1\jazon\applic~1\Malwarebytes
2009-10-05 08:33:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-10-05 08:33:10 19160 ----a-w- c:\windows2\system32\drivers\mbam.sys
2009-10-05 08:33:10 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-10-03 01:38:52 0 d-----w- c:\documents and settings\jazon\dwhelper

==================== Find3M ====================

2009-10-25 02:55:30 94000 -c--a-w- c:\docume~1\jazon\applic~1\GDIPFONTCACHEV1.DAT
2009-09-28 21:23:24 691545 ----a-w- c:\windows2\unins001.exe
2009-09-28 09:11:07 1734 ----a-w- c:\windows2\unins000.dat
2009-09-28 09:10:58 691545 ----a-w- c:\windows2\unins000.exe
2009-09-25 21:58:40 178 ----a-w- c:\documents and settings\jazon\file_name.reg
2009-09-11 14:18:39 136192 ----a-w- c:\windows2\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows2\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows2\system32\wininet.dll
2009-08-26 21:50:02 667136 ----a-w- c:\windows2\system32\OGACheckControl.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows2\system32\strmdll.dll
2009-08-20 06:11:02 60808 ----a-w- c:\windows2\system32\S32EVNT1.DLL
2009-08-20 04:09:06 1193832 ----a-w- c:\windows2\system32\FM20.DLL
2009-08-09 02:34:43 249856 -c----w- c:\windows2\Setup1.exe
2009-08-09 02:34:41 73216 -c--a-w- c:\windows2\ST6UNST.EXE
2009-08-06 08:23:46 274288 ----a-w- c:\windows2\system32\mucltui.dll
2009-08-06 08:23:46 215920 ----a-w- c:\windows2\system32\muweb.dll
2009-08-05 09:01:48 204800 -c--a-w- c:\windows2\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows2\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows2\system32\ntkrnlpa.exe

============= FINISH: 14:46:31.65 ===============

the original problem is still present

Attached File(s)


#4 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,058
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 01 November 2009 - 03:03 AM

Hello theG4FFA,

And :( to the Bleeping Computer Malware Removal Forum, My name is Elise. I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.


P2P WARNING
-------------------
Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Just FYI, symevent.sys is a perfectly legit Symantec driver, which indeed hooks things up to keep an eye on possible changes. Its by no means a rootkit :(

I think I know the reason for your redirections, please follow the steps below.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Please start MBAM, update it, and run a full scan. Post the results in your next reply.

In your next reply, please include the following:
  • Goored.txt
  • MBAM log
  • A new DDS log
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#5 User is offline   theG4FFA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 25-April 09

Posted 01 November 2009 - 03:30 PM

firstly... i havn't used bittorrent since the beginning of the year as i dislike torrents so i'll install it sometime soon.

GooredFix by jpshortstuff (24.09.09.1)
Log created at 19:07 on 01/11/2009 (JaZoN)
Firefox version 3.5.3 (en-GB)

========== GooredScan ==========

Deleting "C:\Program Files\Mozilla Firefox\extensions\{B2708F34-C688-47BF-9F58-DBF700177E62}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:57 10/12/2008]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [05:54 13/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS2\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [22:08 30/04/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:14 05/05/2009]

-=E.O.F=-

mbam:

Malwarebytes' Anti-Malware 1.41
Database version: 3075
Windows 5.1.2600 Service Pack 3

1/11/2009 10:06:22 PM
mbam-log-2009-11-01 (22-06-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145107
Time elapsed: 2 hour(s), 55 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

dds log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by JaZoN at 7:24:54.39 on Mon 02/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.387 [GMT 11:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS2\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\AceHide Free\AceHideFree.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS2\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JaZoN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Awesomeness Explorer
mWinlogon: Userinit=c:\windows2\system32\userinit.exe
mWinlogon: UIHost=%windir%\Resources\LogonUI\red-milkyway\logonui.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows2\system32\ctfmon.exe
uRun: [zHideWin] c:\program files\acehide free\AceHideFree.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows2\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows2\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows2\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [WellPhone DirectSync - ScheduleSync] c:\progra~1\wellph~2\SCHEDU~1.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows2\system32\CTFMON.EXE
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 3 (0x3)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240912448453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jazon\applic~1\mozilla\firefox\profiles\ppcklllp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.google.com.au/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&q=
FF - component: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows2\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows2\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows2\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows2\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows2\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091021.001\IDSXpx86.sys [2009-10-23 329080]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 cpuz132;cpuz132;c:\windows2\system32\drivers\cpuz132_x32.sys [2009-9-9 12672]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-9 117640]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-14 102448]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows2\system32\drivers\libusb0.sys [2009-7-9 28672]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;c:\windows2\system32\drivers\usb2vcom.sys [2009-10-21 28704]

=============== Created Last 30 ================

2009-10-30 06:43:48 0 d-----w- c:\program files\AutoHotkey
2009-10-30 06:36:54 5343 ----a-w- c:\documents and settings\jazon\.recently-used.xbel
2009-10-30 05:52:30 0 d-----w- c:\program files\Ferruh Mavituna
2009-10-30 05:00:59 44403 ----a-w- c:\documents and settings\jazon\logo.miff
2009-10-30 04:59:24 0 d-----w- c:\program files\ImageMagick-6.5.7-Q16
2009-10-27 08:17:56 0 d-----w- c:\docume~1\jazon\applic~1\PPTminimizer
2009-10-26 08:11:39 17664 -c--a-w- c:\windows2\system32\dllcache\sermouse.sys
2009-10-26 08:11:39 17664 ----a-w- c:\windows2\system32\drivers\sermouse.sys
2009-10-26 07:45:36 0 d-----w- c:\docume~1\jazon\applic~1\orpui
2009-10-25 06:31:02 90112 ----a-w- c:\windows2\system32\SaikeFrc.dll
2009-10-25 06:31:02 6016 ----a-w- c:\windows2\system32\drivers\xPADFL02.sys
2009-10-25 06:31:01 37088 ----a-w- c:\windows2\unins002.dat
2009-10-25 06:31:01 1063706 ----a-w- c:\windows2\unins002.exe
2009-10-23 06:40:04 69 ----a-w- c:\windows2\NeroDigital.ini
2009-10-21 20:57:05 0 d-----w- c:\docume~1\jazon\applic~1\SmartCom
2009-10-21 20:56:10 90112 ----a-w- c:\windows2\system32\STAPI.dll
2009-10-21 20:56:10 180224 ----a-w- c:\windows2\system32\WinObex.dll
2009-10-21 20:56:10 135168 ----a-w- c:\windows2\system32\XCSyncML.exe
2009-10-21 20:55:59 0 d-----w- c:\program files\WELLPHone1
2009-10-21 20:55:08 0 d-----w- c:\windows2\Compnts
2009-10-21 20:55:04 0 d-----w- c:\windows2\Multimedia
2009-10-21 20:55:02 0 d-----w- c:\windows2\Codecs
2009-10-21 20:55:00 69632 ----a-w- c:\windows2\SCBTExcl.dll
2009-10-21 20:54:59 0 d-----w- c:\windows2\Skins
2009-10-21 20:54:57 0 d-----w- c:\windows2\Profiles
2009-10-21 20:54:51 123392 ----a-w- c:\windows2\system32\dzip32.dll
2009-10-21 20:54:49 638976 ----a-w- c:\windows2\RTEDiag.exe
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\SH3_RTERapi.dll
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\MIPS_RTERapi.dll
2009-10-21 20:54:49 4608 ----a-w- c:\windows2\ARM_RTERapi.dll
2009-10-21 20:54:49 4032 ----a-w- c:\windows2\MDMInst.exe
2009-10-21 20:54:49 331776 ----a-w- c:\windows2\GPRSDep.exe
2009-10-21 20:45:25 0 d-----w- c:\docume~1\jazon\applic~1\RTE
2009-10-21 09:31:48 28704 ----a-r- c:\windows2\system32\drivers\usb2vcom.sys
2009-10-21 09:21:38 0 d-----w- c:\program files\Silabs
2009-10-21 09:20:42 0 d-----w- c:\windows2\system32\Silabs
2009-10-21 09:20:38 0 d-----w- C:\SiLabs
2009-10-20 20:47:22 258352 ----a-w- c:\windows2\system32\unicows.dll
2009-10-20 20:47:16 24576 ----a-w- c:\windows2\system32\msxml3a.dll
2009-10-20 20:46:40 89088 ----a-w- c:\windows2\system32\atl71.dll
2009-10-20 20:46:28 9630 ----a-w- c:\windows2\RTE000.inf
2009-10-20 20:46:28 726955 ----a-w- c:\windows2\RTEGPRS.chm
2009-10-20 20:46:28 2252800 ----a-w- c:\windows2\RTEGPRS.exe
2009-10-20 20:39:31 5532 ----a-w- c:\windows2\system32\stdole.tlb
2009-10-20 20:06:57 0 d-----w- C:\WINDOWS22
2009-10-20 10:40:03 39036 ----a-w- c:\windows2\system32\drivers\lgusbmodem.sys
2009-10-20 10:40:03 38144 ----a-w- c:\windows2\system32\drivers\lgusbdiag.sys
2009-10-20 10:40:03 21344 ----a-w- c:\windows2\system32\drivers\lgusbbus.sys
2009-10-20 10:33:53 0 d-----w- c:\program files\LG Electronics
2009-10-20 09:53:32 4212 ----a-w- c:\windows2\Wininit.ini
2009-10-20 09:53:32 17620 ----a-w- c:\windows2\system32\drivers\SagemMSC.sys
2009-10-20 09:53:32 163840 ----a-w- c:\windows2\system32\SagRegClean_MSC.exe
2009-10-20 09:53:19 22159 ----a-w- c:\windows2\system\SagCom.vxd
2009-10-20 09:53:19 0 d-----w- c:\windows2\system\iosubsys
2009-10-19 05:44:22 0 d-----w- c:\documents and settings\jazon\DoctorWeb
2009-10-17 00:51:03 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-10-17 00:50:45 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 00:50:45 0 d-----w- c:\docume~1\jazon\applic~1\SUPERAntiSpyware.com
2009-10-17 00:50:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-14 01:21:23 42752 ------w- c:\windows2\system32\drivers\ser2pl.sys
2009-10-14 01:14:36 0 d-----w- c:\program files\SagemMSC
2009-10-13 12:18:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Nero
2009-10-05 08:33:35 0 d-----w- c:\docume~1\jazon\applic~1\Malwarebytes
2009-10-05 08:33:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-10-05 08:33:10 19160 ----a-w- c:\windows2\system32\drivers\mbam.sys
2009-10-05 08:33:10 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-10-03 01:38:52 0 d-----w- c:\documents and settings\jazon\dwhelper

==================== Find3M ====================

2009-10-25 02:55:30 94000 -c--a-w- c:\docume~1\jazon\applic~1\GDIPFONTCACHEV1.DAT
2009-09-28 21:23:24 691545 ----a-w- c:\windows2\unins001.exe
2009-09-28 09:11:07 1734 ----a-w- c:\windows2\unins000.dat
2009-09-28 09:10:58 691545 ----a-w- c:\windows2\unins000.exe
2009-09-25 21:58:40 178 ----a-w- c:\documents and settings\jazon\file_name.reg
2009-09-11 14:18:39 136192 ----a-w- c:\windows2\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows2\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows2\system32\wininet.dll
2009-08-26 21:50:02 667136 ----a-w- c:\windows2\system32\OGACheckControl.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows2\system32\strmdll.dll
2009-08-20 06:11:02 60808 ----a-w- c:\windows2\system32\S32EVNT1.DLL
2009-08-20 04:09:06 1193832 ----a-w- c:\windows2\system32\FM20.DLL
2009-08-09 02:34:43 249856 -c----w- c:\windows2\Setup1.exe
2009-08-09 02:34:41 73216 -c--a-w- c:\windows2\ST6UNST.EXE
2009-08-06 08:23:46 274288 ----a-w- c:\windows2\system32\mucltui.dll
2009-08-06 08:23:46 215920 ----a-w- c:\windows2\system32\muweb.dll
2009-08-05 09:01:48 204800 -c--a-w- c:\windows2\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows2\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows2\system32\ntkrnlpa.exe

============= FINISH: 7:25:36.14 ===============

Attached File(s)


#6 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,058
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 02 November 2009 - 03:57 AM

Things look good here. I have just a question? Did you recently do a repair installation of windows XP? Or do you know why your windows folder is c:\windows2?

Can you please tell me how everything runs now? Any redirects left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#7 User is offline   theG4FFA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 25-April 09

Posted 03 November 2009 - 04:06 PM

with my windows2 folder, i had a bad infection that eventually ended with windows xp professional unbootable. since i had lost the disk i used a windows xp home edition cd to re-install windows. i had a post here: http://www.bleepingcomputer.com/forums/topic222329.html but by the time i got a response i had already screwed things up.

i havn't had the redirections so far so it seems ok now.

here is the eset log

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\JaZoN\DoctorWeb\Quarantine\findbasic121.exe Win32/Adware.OneStep.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9I7SHYZ\warning[1].gif Win32/TrojanDownloader.FakeAlert.ACR trojan cleaned by deleting - quarantined

#8 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,058
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 03 November 2009 - 04:31 PM

Hello theG4FFA,

ESET found nothing important, so that means you are good to go :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Delete DDS, RootRepeal and GooredFix
Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#9 User is offline   theG4FFA 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 25-April 09

Posted 04 November 2009 - 12:35 AM

thanks for your help :( this is my first infection this year and i'm happy it was only a small one :(

#10 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,058
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 04 November 2009 - 01:50 AM

Glad I could be of help :(

Since this issue seems to be resolved, this topic will now be closed.

If you are the original topic starter and you need this topic re-opened, please send me a PM.

Everyone else, please start a new topic.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users