Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • Please log in to reply
1 reply to this topic

#1 dead_comik

dead_comik

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 05 January 2009 - 09:54 PM

Hello. I have tried a few things to remove my malware infection myself but have been unsucessful. I have used spybot, adaware, security task manager, and several other programs. I simply cannot figure out what exactly I have. My browser is hijacked and redirected when I try to access some web pages, approximately 1 out of 3 pages I attempt to go to. Where I am redirected is usually one of a few different pages, viva-porn is one, the other is to google with terms put into it and searched for for me. Here are my logs. If I need to attach my hijackthis log or anything else let me know. Thanks for any help.

DDS (Version 1.1.0) - NTFSx86
Run by owner at 21:44:56.03 on Mon 01/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.258 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

STS: {C5BF49A2-94F3-42BD-F434-3604812C897D} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9o3l9l1u.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - HiddenExtension: XUL Cache: {08B7751F-BF7F-484E-8182-2414795B2323} - c:\documents and settings\owner\local settings\application data\{08B7751F-BF7F-484E-8182-2414795B2323}

============= SERVICES / DRIVERS ===============

R3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2008-11-10 437760]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-11-10 18944]

=============== Created Last 30 ================

2009-01-05 16:18 79 a------- c:\windows\wininit.ini
2009-01-05 15:44 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-05 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-29 13:01 <DIR> --d----- c:\program files\CCleaner
2008-12-27 21:20 <DIR> --d----- c:\docume~1\owner\applic~1\Avant Profiles
2008-12-27 21:20 <DIR> --d----- c:\program files\Avant Browser
2008-12-27 18:33 <DIR> --d----- c:\program files\Lavasoft
2008-12-27 18:33 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-27 18:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-27 18:14 <DIR> --d----- c:\program files\Security Task Manager
2008-12-20 20:31 <DIR> --d----- c:\program files\common files\HP
2008-12-20 20:30 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2008-12-20 20:27 118,272 a------- c:\windows\system32\hpz3l5jy.dll
2008-12-20 20:27 271,704 a----r-- c:\windows\system32\hpzids01.dll
2008-12-20 20:26 970,752 a----r-- c:\windows\system32\hpwtiop3.dll
2008-12-20 20:26 729,088 a----r-- c:\windows\system32\hpwwiax3.dll
2008-12-20 20:26 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2008-12-20 20:26 309,760 a----r-- c:\windows\system32\difxapi.dll
2008-12-20 20:26 294,912 a----r-- c:\windows\system32\hpovst11.dll
2008-12-20 20:26 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2008-12-20 20:26 6,784 a------- c:\windows\system32\drivers\serscan.sys
2008-12-20 20:24 1,373,528 a----r-- c:\windows\hpzshl01.exe
2008-12-20 20:24 1,140,056 a----r-- c:\windows\hpzmsi01.exe
2008-12-20 20:24 12,717 a----r-- c:\windows\hpwscr14.dat
2008-12-20 20:24 <DIR> --d----- c:\windows\braveheart
2008-12-20 20:23 <DIR> --d----- c:\program files\HP
2008-12-20 20:23 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-20 20:23 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-20 20:23 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-20 20:23 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-20 20:23 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2008-12-20 20:23 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-12-20 20:19 1,108 a----r-- c:\windows\hpwmdl14.dat
2008-12-20 20:19 179,625 a------- c:\windows\hpwins14.dat
2008-12-15 22:56 441 a------- C:\Shortcut to Sarah's Documents.lnk
2008-12-15 20:35 59,904 a------- c:\windows\system32\drivers\TDSSmqlt.sys
2008-12-15 20:35 93,420 a------- c:\windows\system32\drivers\c669c589.sys
2008-12-15 20:33 <DIR> --d----- c:\program files\WMR11
2008-12-15 20:27 59,904 a------- c:\windows\system32\drivers\TDSSmhct.sys
2008-12-15 20:26 93,420 a------- c:\windows\system32\drivers\5b5097e6.sys
2008-12-15 20:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2008-12-15 19:29 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2008-12-15 19:29 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2008-12-15 19:28 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2008-12-15 19:28 <DIR> --d----- c:\windows\Replay Media Catcher
2008-12-15 19:27 <DIR> --d----- c:\program files\Replay Media Catcher
2008-12-15 18:05 <DIR> --d----- C:\flvrecorder

==================== Find3M ====================

2008-11-30 01:46 65,536 a------- c:\windows\ICE_JNIRegistry.dll
2008-11-18 20:09 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-10 15:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-11-10 10:42 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll

============= FINISH: 21:45:15.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:20 AM

Posted 06 January 2009 - 10:49 AM

Hello Dead Comic and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users