Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Copy Book, Non-working Antispyware, And Me.


  • This topic is locked This topic is locked
1 reply to this topic

#1 Ultymoo

Ultymoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 20 March 2009 - 11:50 PM

EDIT: This problem has been resolved, please feel free to close this topic.





Huzzah, a forum for fixing these nasty little infections that pop up and like to destroy my way of life every other year.

So, here's the backstory as to what's happened to me. I downloaded a program from a site which claimed to be an eBook, and was an EXE of all things. I normally know to stay away from those, but being a desperate college student writing papers, I can be desperate at times.

Now, I usually have a contingency plan for things like this, AKA copying the program to my flash drive after a virus sweep, and taking it over to an old junker computer I keep around specifically for purposes of testing for viruses in programs. However, this time my flash drive ended up with an autorun.inf file on it after installing said program, which turned out to be bull as was expected.

So, popping the drive back into my other computer, Avast pops up a warning, and I have it delete said file. However, upon going to my C:\ drive (or any other for that matter) I ended up being told that <Insert inanely long recycle bin entry here> was inaccessible. Joy. I right clicked and went to Explore to examine the contents of the drive, and what do I find but an autorun.inf file?

I got all of 'em cleared off my partitions and USB devices, and they don't seem (key word there) to be reinstalling themselves onto any partitions/drives.

After all that, I tried getting on Firefox to check the Avast entry, and it was refusing to open any pages. I checked PeerGuardian 2, which was throwing up malware exploit blocks, about two to three a second. At some point it trickled down and I was able to access Google and look up the info I needed.

I decided to try Spybot S&D, but it wouldn't open for some reason. Then I tried MBAM, same result. Whatever this is seems to be blocking any attempt to open antispyware or antimalware programs. In addition, when searching for the problem destination IPs PG2 was giving me (85.255.112.98:53 and 85.255.112.231:53) I came across this forum and realized that Firefox was hanging a bit before actually opening pages. Lo and behold, every so often it comes up with a load of redirects to about 5 sites before deciding to stop on one.

After renaming Malwarebytes's Anti-Malware utility, I got it running and removed a trojan by the name of gaopdxcounter that was hanging out in C:\WINDOWS\system32\ earlier. In addition, I found my DNS servers had been messed with, so I set them manually in my network settings, to those of OpenDNS.

Now, the browser hijacks only seem to happen when I hit any site from google. Firefox will hang for about three seconds before either sending me where I wanted to go or trying to send me to a spam/porn/popup site.

I'm not having any problems with computer speed at the moment, and am currently booted into Safe Mode with Networking on WinXP Pro with SP2 installed.

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Ultimo at 23:38:30.03 on Fri 03/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2325 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
D:\Program Files\Trillian\trillian.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
J:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cisco.com/web/learning/netacad/index.html
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] d:\program files\peerguardian2\pg2.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [USBFW] c:\program files\net studio\usb firewall\USB FireWall.exe
mRunOnce: [Malwarebytes' Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - d:\program files\belkin\f5d8053\Belkinwcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: fackvista
Trusted Zone: fackvistac:
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216367191093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216530029031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {EF847799-E352-4D52-A442-83020B41E408} = 208.67.222.222,208.67.220.220
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ultimo\applic~1\mozilla\firefox\profiles\ifx189xy.default\
FF - prefs.js: browser.startup.homepage - hxxp://ms.xdreamer.net/
FF - plugin: c:\program files\google\google updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\netscape6\nppl3260.dll
FF - plugin: d:\program files\netscape6\nprjplug.dll
FF - plugin: d:\program files\netscape6\nprpjplug.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 sojubus;sojubus;c:\windows\system32\drivers\sojubus.sys [2003-10-5 123520]
R0 sojuscsi;sojuscsi;c:\windows\system32\drivers\sojuscsi.sys [2003-9-28 5504]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-3-13 476416]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-16 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-16 20560]
S2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2009-3-16 138680]
S2 gupdate1c95e34a0f34427;Google Update Service (gupdate1c95e34a0f34427);c:\program files\google\update\GoogleUpdate.exe [2008-12-14 133104]
S3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2009-3-16 352920]
S3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2007-6-7 141376]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-3-5 7424]

=============== Created Last 30 ================

2009-03-20 22:36 <DIR> --d----- c:\docume~1\ultimo\applic~1\Malwarebytes
2009-03-20 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-03-20 21:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 21:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-20 20:36 <DIR> --d----- c:\program files\Net Studio
2009-03-16 19:10 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-02-25 15:43 1,908 a------- c:\windows\diagwrn.xml
2009-02-25 15:43 1,908 a------- c:\windows\diagerr.xml

==================== Find3M ====================

2009-01-01 02:56 36,816 a------- c:\windows\DIIUnin.dat
2009-01-01 02:39 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-01-01 02:35 94,208 a------- c:\windows\DIIUnin.exe
2009-01-01 02:35 2,829 a------- c:\windows\DIIUnin.pif
2008-12-30 12:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-09-28 13:05 24 a------- c:\documents and settings\ultimo\jagex_runescape_preferences.dat
2008-08-22 14:43 65,536 a------- c:\documents and settings\ultimo\backupRamSTV.bin

============= FINISH: 23:39:01.70 ===============

Attached Files


Edited by Ultymoo, 21 March 2009 - 11:22 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:12 AM

Posted 28 March 2009 - 09:33 AM

EDIT: This problem has been resolved, please feel free to close this topic.

Closed.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users