Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected to Stop-Spyware.net... Also podmena and feedfarm


  • This topic is locked This topic is locked
3 replies to this topic

#1 ~Gretchen~

~Gretchen~

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 21 August 2009 - 08:15 AM

OK... I need help! XP Service Pack 3 and Firefox 3.5.2 Browser. This computer is 2 weeks old and I never thought it could happen to me! I've been running AVG virus protection.

I've been infected with something and I believe it's still lurking. First symptoms were me being redirected to a site called stop-spyware.net where it told me I had a bunch of infections and it tried to launch a setup.exe file. I did NOT launch the file but I'm still getting redirect issues every once in a while on my browser. I noticed something called podmena in the bottom left of my browser and also something that said "waiting for feedfarm.

Spybot found Virtumonde.sdn and said it disenfected it but it found it on the next scan as well.... so whatever it is is not really gone. AVG full system scan found nothing.

I will include my DDS.txt and Attach.txt information below. I tried to run Root Repeal but I get a BSOD or my system just freezes up entirely so I haven't gotten through that one yet.

THANKS in advance for your HELP!!!!

DDS.txt info:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DDS (Ver_09-07-30.01) - NTFSx86
Run by gnobles at 7:36:24.16 on Fri 08/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.2972 [GMT -5:00]

AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\gnobles\desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
StartupFolder: c:\documents and settings\gnobles\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: chase.com\chaseonline
Trusted Zone: chase.com\mfasa
Trusted Zone: chase.com\payments
Trusted Zone: chase.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gnobles\applic~1\mozilla\firefox\profiles\q8o5j493.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-6 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 297752]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]

=============== Created Last 30 ================

2009-08-20 16:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-20 14:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-20 14:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-20 14:18 <DIR> --d----- c:\program files\Lavasoft
2009-08-20 13:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-20 13:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-20 09:26 <DIR> --d----- c:\program files\MSECache
2009-08-20 09:12 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-17 13:35 <DIR> --d----- C:\Edline
2009-08-17 13:35 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-12 11:21 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-08-11 22:17 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:17 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 03:11 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-10 08:24 <DIR> --d----- c:\windows\RegisteredPackages
2009-08-10 07:47 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-10 07:47 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-10 07:47 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-10 07:47 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-10 07:47 <DIR> --d----- C:\26886c4ba670778987b4c03c0dfc1f
2009-08-07 14:53 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-07 14:53 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-07 14:49 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-07 12:34 345,600 -c------ c:\windows\system32\dllcache\localspl.dll
2009-08-07 11:28 <DIR> --d----- c:\program files\common files\Control Panels
2009-08-07 11:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-08-07 11:17 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-08-07 11:17 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-08-07 11:14 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-07 11:13 <DIR> --d----- c:\program files\Bonjour
2009-08-07 11:10 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-08-06 15:33 299,008 a------- c:\windows\system32\TubeFinder.exe
2009-08-06 15:33 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-08-06 15:33 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-08-06 15:33 364,544 a------- c:\windows\system32\PropertyGrid.ocx
2009-08-06 15:33 208,500 a------- c:\windows\system32\ReyXpBasics.tlb
2009-08-06 15:33 152,848 a------- c:\windows\system32\COMDLG32.OCX
2009-08-06 15:33 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-08-06 15:33 84,512 a------- c:\windows\system32\PICCLP32.OCX
2009-08-06 15:33 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-08-06 15:33 24,576 a------- c:\windows\system32\ControlSubX.ocx
2009-08-06 15:33 9,728 a------- c:\windows\system32\PCCLPFR.DLL
2009-08-06 15:33 <DIR> --d----- c:\program files\Free FLV Converter
2009-08-06 15:18 309,520 a------- c:\windows\system32\Mswng300.dll
2009-08-06 15:18 210,944 a------- c:\windows\system32\msvcrt10.dll
2009-08-06 15:18 133,904 a------- c:\windows\system32\Mfcans32.dll
2009-08-06 15:18 18,944 a------- c:\windows\system32\implode.dll
2009-08-06 15:18 <DIR> --d----- c:\windows\Crystal
2009-08-06 15:18 <DIR> --d----- C:\smwin32
2009-08-06 15:18 <DIR> --d----- c:\program files\VideoCapX
2009-08-06 15:09 306,688 a------- c:\windows\IsUninst.exe
2009-08-06 12:53 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-06 12:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-06 12:53 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 12:53 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-06 12:53 <DIR> --d----- c:\program files\AVG
2009-08-06 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-06 12:48 376 a------- c:\windows\ODBC.INI
2009-08-06 12:48 17,920 a------- c:\windows\system32\mdimon.dll
2009-08-06 12:47 <DIR> --d----- c:\program files\common files\L&H
2009-08-06 12:47 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-08-06 12:47 <DIR> --d----- c:\windows\SHELLNEW
2009-08-06 12:06 <DIR> --d----- C:\02-Desktop
2009-08-06 11:20 <DIR> --d----- c:\docume~1\gnobles\applic~1\Windows Search
2009-08-06 11:19 184 a------- c:\windows\hpbafd.ini
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Windows Desktop Search
2009-08-06 11:19 <DIR> --d----- C:\01-Docs
2009-08-06 11:19 <DIR> --d----- c:\documents and settings\gnobles\.dvdcss
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Blackberry Desktop
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Any Video Converter
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Any DVD Converter Professional
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\LiveWorship Settings
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Skunk Studios
2009-08-06 11:19 <DIR> --d----- c:\docume~1\gnobles\applic~1\Research In Motion
2009-08-06 11:19 <DIR> --dsh--- c:\documents and settings\gnobles\IETldCache
2009-08-06 11:19 <DIR> --d----- c:\documents and settings\gnobles
2009-08-06 11:11 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-06 11:09 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-11 13:10 4,813 a------- c:\windows\system32\drivers\1028_Dell_OPT_740.mrk
2009-07-11 09:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-11 09:20 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 06:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll

============= FINISH: 7:36:40.26 ===============



Attach.txt info:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/6/2009 11:10:48 AM
System Uptime: 8/21/2009 7:22:43 AM (0 hours ago)

Motherboard: Dell Inc. | | 0YP693
Processor: AMD Athlon™ Dual Core Processor 4850e | Socket M2 | 2505/1000mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 81.068 GiB free.
D: is CDROM ()
F: is NetworkDisk (NTFS) - 736 GiB total, 552.568 GiB free.
R: is NetworkDisk (NTFS) - 146 GiB total, 137.094 GiB free.
T: is NetworkDisk (NTFS) - 15 GiB total, 3.528 GiB free.
Z: is NetworkDisk (NTFS) - 736 GiB total, 552.568 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 8/6/2009 11:10:51 AM - System Checkpoint
RP2: 8/6/2009 12:45:41 PM - Installed Microsoft Office Professional Edition 2003
RP3: 8/6/2009 12:53:26 PM - Installed AVG 8.5
RP4: 8/6/2009 12:55:23 PM - Installed Adobe Reader 9.
RP5: 8/6/2009 1:53:22 PM - Update to an unsigned driver
RP6: 8/7/2009 8:13:39 AM - Avg8 Update
RP7: 8/7/2009 8:15:44 AM - Avg8 Update
RP8: 8/7/2009 11:22:01 AM - Printer Driver Adobe PDF Converter Installed
RP9: 8/7/2009 2:49:33 PM - Software Distribution Service 3.0
RP10: 8/10/2009 7:44:11 AM - Software Distribution Service 3.0
RP11: 8/10/2009 8:24:30 AM - Installed Adobe Photoshop Elements 5.0
RP12: 8/10/2009 8:44:24 AM - Printer Driver Microsoft XPS Document Writer Installed
RP13: 8/10/2009 9:13:11 AM - Installed Windows XP WgaNotify.
RP14: 8/10/2009 10:03:07 AM - Software Distribution Service 3.0
RP15: 8/11/2009 10:41:35 AM - System Checkpoint
RP16: 8/12/2009 3:00:12 AM - Software Distribution Service 3.0
RP17: 8/13/2009 3:11:43 AM - System Checkpoint
RP18: 8/13/2009 8:11:22 AM - Avg8 Update
RP19: 8/13/2009 8:11:50 AM - Avg8 Update
RP20: 8/14/2009 10:26:32 AM - System Checkpoint
RP21: 8/15/2009 11:11:46 AM - System Checkpoint
RP22: 8/16/2009 12:11:29 PM - System Checkpoint
RP23: 8/17/2009 1:29:37 PM - Installed GradeQuick Web Plugin.
RP24: 8/17/2009 1:35:28 PM - Removed GradeQuick Web Plugin.
RP25: 8/17/2009 1:35:56 PM - Installed GradeQuick Web Plugin.
RP26: 8/18/2009 3:56:50 PM - System Checkpoint
RP27: 8/19/2009 4:06:11 PM - System Checkpoint
RP28: 8/20/2009 3:00:12 AM - Software Distribution Service 3.0
RP29: 8/20/2009 9:26:27 AM - Installed Compatibility Pack for the 2007 Office system

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Center 2.1
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Elements 5.0
Adobe Reader 9
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AVG 8.5
Broadcom ASF Management Applications
Broadcom Management Programs
Choice Guard
Compatibility Pack for the 2007 Office system
Dell ETS Factory Installation
Free FLV Converter V 6.6.2
Google Gmail Notifier
GradeQuick Web Plugin
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Java™ 6 Update 13
Junk Mail filter update
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSVCRT
MSXML 6.0 Parser (KB927977)
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
PDF Settings
PowerDVD DX
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
School Minder
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Presentation Foundation
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

8/20/2009 2:17:15 PM, error: Kerberos [4] - The kerberos client received a KRB_AP_ERR_MODIFIED error from the server GNOBLESDELL$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (NCS-AD.NORTHLAKECHRISTIAN.ORG), and the client realm. Please contact your system administrator.

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 ~Gretchen~

~Gretchen~
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 21 August 2009 - 08:46 AM

I just wanted to report back that so far this morning... my browsing seems normal... no redirects... no podmena or feedfarm references.

So I may be fine now... but I'd appreciate if an expert could double check my logs and make sure I'm clean!!!

THANKS!

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:12 AM

Posted 01 September 2009 - 04:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:12 PM

Posted 12 September 2009 - 05:43 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users