Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox / Google Search Hijack


  • This topic is locked This topic is locked
14 replies to this topic

#1 GeoGeo

GeoGeo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 09 April 2009 - 09:01 AM

Hi,

I have a persistent infection on my laptop that has resisted all attempts to remove it so far. The symptom is that when I search with google or the like results come up as expected however clicking on these results I end up at completely different sites to the url's provided by the search. This is annoying however I wonder if this is only the tip of the iceberg?

Any help is greatly appreciated. Pasted below is my DDS log (Attach.txt is attached) as per posting instructions.

Cheers,
Geoff

DDS (Ver_09-03-16.01) - NTFSx86
Run by Geoff-C at 9:49:45.87 on 2009-04-09
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.421 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090408-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Documents and Settings\Geoff-C\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {C6338754-2E4E-43A7-A11E-087A7FA96837} = 206.248.154.170 206.248.154.22
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff-c\applic~1\mozilla\firefox\profiles\90avcerb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.ca/

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-2 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-7 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-7 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-7 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-7 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-7 352920]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\geoff-c\my documents\vcdrom.sys --> c:\documents and settings\geoff-c\my documents\VCdRom.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2007-3-25 91830]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-27 44928]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-04-07 14:28 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-07 14:28 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-07 14:28 <DIR> --d----- c:\program files\Zone Labs
2009-04-07 14:27 350,192 a------- c:\windows\system32\vsconfig.xml
2009-04-03 07:44 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-02 20:38 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-02 20:37 <DIR> --d----- c:\program files\Panda Security
2009-03-31 21:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-31 21:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 21:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 13:26 <DIR> a-dshr-- C:\cmdcons
2009-03-31 13:24 161,792 a------- c:\windows\SWREG.exe
2009-03-31 13:24 98,816 a------- c:\windows\sed.exe
2009-03-30 19:01 153 a------- c:\windows\wininit.ini
2009-03-26 12:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-26 12:14 1,409 a------- c:\windows\QTFont.for
2009-03-22 09:29 230,424 a------- C:\img2-002.raw
2009-03-22 08:45 230,424 a------- C:\img2-001.raw
2009-03-22 08:42 111,632 a------- c:\windows\VX1000.dll
2009-03-22 08:42 15,498 a------- c:\windows\VX1000.ini
2009-03-22 08:42 13,023 a------- c:\windows\VX1000.src
2009-03-22 08:42 1,964,432 a------- c:\windows\system32\drivers\VX1000.sys
2009-03-22 08:42 721,936 a------- c:\windows\vVX1000.exe
2009-03-22 08:42 566,288 a------- c:\windows\system32\LcProxy.ax
2009-03-22 08:42 218,128 a------- c:\windows\vVX1000.dll
2009-03-22 08:42 189,456 a------- c:\windows\system32\cVX1000.dll
2009-03-22 08:42 185,360 a------- c:\windows\system32\LCCoin20.dll
2009-03-22 08:31 <DIR> --d----- C:\5f5e3dda0f5b14c7ab5a848863026596
2009-03-22 08:21 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-22 08:19 14,048 -------- c:\windows\system32\spmsg2.dll
2009-03-22 08:15 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-03-21 10:36 104 a------- C:\My Network Places.lnk
2009-03-13 13:01 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-04-08 13:49 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 13:49 202,448 a------- c:\windows\system32\PnkBstrB.exe
2009-04-07 14:28 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 21:51 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-08 09:16 177,914 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 21:34 684,032 a------- c:\windows\system32\DivX.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 03:14 3,455,488 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-01-14 01:46 11,591,680 a------- c:\windows\system32\atioglxx.dll
2009-01-14 00:53 286,720 a------- c:\windows\system32\atiok3x2.dll
2009-01-14 00:49 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-14 00:47 323,584 a------- c:\windows\system32\ati2dvag.dll
2009-01-14 00:36 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-01-14 00:36 151,552 a------- c:\windows\system32\Oemdspif.dll
2009-01-14 00:36 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-01-14 00:35 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-14 00:35 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-01-14 00:34 598,016 a------- c:\windows\system32\ati2evxx.exe
2009-01-14 00:32 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-01-14 00:22 4,009,152 a------- c:\windows\system32\ati3duag.dll
2009-01-14 00:05 2,500,224 a------- c:\windows\system32\ativvaxx.dll
2009-01-14 00:05 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2009-01-14 00:05 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-01-14 00:05 887,724 a------- c:\windows\system32\ativva6x.dat
2009-01-13 23:50 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-01-13 23:45 401,408 a------- c:\windows\system32\atikvmag.dll
2009-01-13 23:44 110,592 a------- c:\windows\system32\atiadlxx.dll
2009-01-13 23:44 17,408 a------- c:\windows\system32\atitvo32.dll
2009-01-13 23:37 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-01-13 23:37 577,536 a------- c:\windows\system32\ati2cqag.dll
2009-01-13 22:36 45,056 a------- c:\windows\system32\amdcalrt.dll
2009-01-13 22:36 45,056 a------- c:\windows\system32\amdcalcl.dll
2009-01-13 22:34 3,227,648 a------- c:\windows\system32\Amdcaldd.dll
2009-01-13 22:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-09-21 11:09 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 9:50:32.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 09 April 2009 - 10:22 AM

Hello, GeoGeo

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I'm not seeing much in your log. Let's check for rootkits before we proceed with a fix.

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 09 April 2009 - 01:15 PM

Hello Jat thank you for your very fast reply and your help.

Below is the GMER log as requested.

Many thanks,

GeoGeo

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-09 14:10:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDC2D6B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEDD72FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEDD6FC80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDC2D574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEDD73580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEDD87900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEDD87B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEDD8BB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEDD73670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEDD70210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEDD8A9F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDC2DA52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEDD87280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEDD8AF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEDD8AF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEDD70070]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDC2D64E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEDD89180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEDD88F40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDC2D76E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEDD8B6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEDD8B150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEDD72BE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDC2D72E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEDD73190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEDD70440]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDC2D8AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEDD88200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEDD88080]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 241C 80501C54 12 Bytes [80, 35, D7, ED, 00, 79, D8, ...] {XOR BYTE [0x7900edd7], 0xd8; IN EAX, DX; ADC [EBX-0x28], BH; IN EAX, DX}
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EDD75E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EDD75E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EDD75E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EDD75E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EDD77B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EDD75E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EDD78260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EDD77930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016cedff850
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cedff850
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cedff850

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\config\default.LOG (size mismatch) 8192/1024 bytes
File C:\Documents and Settings\Geoff-C\My Documents\Work\ISIS\2007\Offshore Projects\LA\Fugro Commander\ISIS Info provided Prior to Mob\C07-326_London_Array_Geotechnical_Support_2007\C07-326 London Array Geotechnical Support 2007\Fugro-Seacore Information\Mobilisation\Mobilisation Den Helder.xls 23040 bytes

---- EOF - GMER 1.0.15 ----

Edited by GeoGeo, 09 April 2009 - 01:15 PM.


#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 09 April 2009 - 01:21 PM

Hello,

Gmer found no Rootkits(s)

Still not seeing much in your logs. Let's try this:

MalwareBytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


In your next reply, please post:
  • MBAM log
  • ESET log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 09 April 2009 - 02:45 PM

Posted below are the three requested logs. All seem to be clean although the symptoms still persist.

Many thanks again,

GeoGeo


MBAM Log:

Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 5.1.2600 Service Pack 3

2009-04-09 14:35:34
mbam-log-2009-04-09 (14-35-34).txt

Scan type: Quick Scan
Objects scanned: 75805
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3997 (20090409)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b61ef6290d81934cb5506fe145a8694e
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-09 07:31:44
# local_time=2009-04-09 03:31:44 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=321774
# found=0
# scan_time=2867


New DDS Log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Geoff-C at 15:39:19.82 on 2009-04-09
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.178 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090409-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff-C\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {C6338754-2E4E-43A7-A11E-087A7FA96837} = 206.248.154.22 206.248.154.170
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff-c\applic~1\mozilla\firefox\profiles\90avcerb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.ca/

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-2 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-7 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-7 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-7 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\geoff-c\my documents\vcdrom.sys --> c:\documents and settings\geoff-c\my documents\VCdRom.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-7 352920]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2007-3-25 91830]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-27 44928]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-04-07 14:28 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-07 14:28 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-07 14:28 <DIR> --d----- c:\program files\Zone Labs
2009-04-07 14:27 350,192 a------- c:\windows\system32\vsconfig.xml
2009-04-03 07:44 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-02 20:38 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-02 20:37 <DIR> --d----- c:\program files\Panda Security
2009-03-31 21:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-31 21:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 21:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 13:26 <DIR> a-dshr-- C:\cmdcons
2009-03-31 13:24 161,792 a------- c:\windows\SWREG.exe
2009-03-31 13:24 98,816 a------- c:\windows\sed.exe
2009-03-30 19:01 153 a------- c:\windows\wininit.ini
2009-03-26 12:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-26 12:14 1,409 a------- c:\windows\QTFont.for
2009-03-22 09:29 230,424 a------- C:\img2-002.raw
2009-03-22 08:45 230,424 a------- C:\img2-001.raw
2009-03-22 08:42 111,632 a------- c:\windows\VX1000.dll
2009-03-22 08:42 15,498 a------- c:\windows\VX1000.ini
2009-03-22 08:42 13,023 a------- c:\windows\VX1000.src
2009-03-22 08:42 1,964,432 a------- c:\windows\system32\drivers\VX1000.sys
2009-03-22 08:42 721,936 a------- c:\windows\vVX1000.exe
2009-03-22 08:42 566,288 a------- c:\windows\system32\LcProxy.ax
2009-03-22 08:42 218,128 a------- c:\windows\vVX1000.dll
2009-03-22 08:42 189,456 a------- c:\windows\system32\cVX1000.dll
2009-03-22 08:42 185,360 a------- c:\windows\system32\LCCoin20.dll
2009-03-22 08:31 <DIR> --d----- C:\5f5e3dda0f5b14c7ab5a848863026596
2009-03-22 08:21 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-22 08:19 14,048 -------- c:\windows\system32\spmsg2.dll
2009-03-22 08:15 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-03-21 10:36 104 a------- C:\My Network Places.lnk
2009-03-13 13:01 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-04-08 13:49 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 13:49 202,448 a------- c:\windows\system32\PnkBstrB.exe
2009-04-07 14:28 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 21:51 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-08 09:16 177,914 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 21:34 684,032 a------- c:\windows\system32\DivX.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 03:14 3,455,488 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-01-14 01:46 11,591,680 a------- c:\windows\system32\atioglxx.dll
2009-01-14 00:53 286,720 a------- c:\windows\system32\atiok3x2.dll
2009-01-14 00:49 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-14 00:47 323,584 a------- c:\windows\system32\ati2dvag.dll
2009-01-14 00:36 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-01-14 00:36 151,552 a------- c:\windows\system32\Oemdspif.dll
2009-01-14 00:36 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-01-14 00:35 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-14 00:35 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-01-14 00:34 598,016 a------- c:\windows\system32\ati2evxx.exe
2009-01-14 00:32 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-01-14 00:22 4,009,152 a------- c:\windows\system32\ati3duag.dll
2009-01-14 00:05 2,500,224 a------- c:\windows\system32\ativvaxx.dll
2009-01-14 00:05 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2009-01-14 00:05 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-01-14 00:05 887,724 a------- c:\windows\system32\ativva6x.dat
2009-01-13 23:50 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-01-13 23:45 401,408 a------- c:\windows\system32\atikvmag.dll
2009-01-13 23:44 110,592 a------- c:\windows\system32\atiadlxx.dll
2009-01-13 23:44 17,408 a------- c:\windows\system32\atitvo32.dll
2009-01-13 23:37 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-01-13 23:37 577,536 a------- c:\windows\system32\ati2cqag.dll
2009-01-13 22:36 45,056 a------- c:\windows\system32\amdcalrt.dll
2009-01-13 22:36 45,056 a------- c:\windows\system32\amdcalcl.dll
2009-01-13 22:34 3,227,648 a------- c:\windows\system32\Amdcaldd.dll
2009-01-13 22:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-09-21 11:09 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 15:39:52.85 ===============

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 April 2009 - 01:10 AM

Hello,

These scans confirm that there is nothing malicious on your PC. What symptoms are you having?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 10 April 2009 - 06:29 AM

When I search with google and click on one of the search results, rather than going to the url identified by the search, I'm taken to a different site instead such as elle.com, www.shopica.com, www.google.com/undefined, www.couponmountain.com. The frequency that this occurs has dropped to around 50% right now (just started laptop) but we'll see how it goes through the day.

Cheers,

GeoGeo

Edited by GeoGeo, 10 April 2009 - 07:12 AM.


#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 April 2009 - 08:08 AM

Hello,

I'll research into it for you :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 10 April 2009 - 08:30 AM

Thank Jat :thumbup2:

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 April 2009 - 08:31 AM

There's a relatively new type of infection which is a cause of google redirect, its called Goored. Let's see if thats what you have.

Goored Fix - Scan

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 10 April 2009 - 08:58 AM

I think your on to a winner Jat. Below is the log as requested.

Cheers,
GeoGeo

GooredFix v1.92 by jpshortstuff
Log created at 09:57 on 10/04/2009 running Option #1 (Geoff-C)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{7EBB8F95-9B04-4FCE-9A40-073C37165D5A}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 April 2009 - 09:29 AM

Hello,

Hope this works :thumbup2:

Goored Fix

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 GeoGeo

GeoGeo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 10 April 2009 - 09:45 AM

Jat, so far so good, Goored removed the extension and firefox seems to be working normally again.

Below is the fix log for Goored. I noticed that the deleted files are now in a directory on my desktop should I also delete these?

It was a slippy little bugger but you got it!

Many thanks,

GeoGeo

GooredFix v1.92 by jpshortstuff
Log created at 10:30 on 10/04/2009 running Option #2 (Geoff-C)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{7EBB8F95-9B04-4FCE-9A40-073C37165D5A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 April 2009 - 09:50 AM

Hello,

Excellent, glad we got that sorted. Running this command will remove Goored completely from your computer, and if there's no more issues, I am happy to say your clean :)

Click Start, then Run (or windows key + R)
In the box, paste the following command:

"%userprofile%\Desktop\GooredFix.exe" /uninstall

Click "Yes" to any prompts, and your done.

Congratulations you are now clean! :thumbup2:

We should tidy up our mess though.

Uninstall Gmer

Go to Start --> Run and copy/paste C:\WINDOWS\gmer_uninstall.cmd into the run window, click Okay. When that process completes, please reboot your computer.

Other Deletions

Locate where you saved DDS.exe, right click the file and select Delete.



Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently
  • It is important that you visit http://www.windowsupdate.com regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Use a Firewall

Some good free firewalls are:Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy
  • This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with program on a regular basis just as you would an anti virus software.
SUPERAntiSpyware
  • You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
  • Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.
MalwareBytes' Anti-Malware
  • Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.
  • Ability to perform full scans for all drives.
  • The "Quick Scan" option lets the user scan the computer quickly checking for the most damaging threats and completing in usually under 10 minutes.
Javacools© SpywareBlaster
  • SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help :step4:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 11 April 2009 - 08:09 AM

Since the problem appears to be resolved, this topic is now Closed. Glad I could help.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users