Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have been infected with Malware


  • This topic is locked This topic is locked
40 replies to this topic

#1 Ziva

Ziva

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 October 2009 - 06:36 PM

This is my second posting. My first attempt was in error, and I apologize for posting twice. I hope this time I've done this properly. I am not PC savvy so please keep any responses to simple replies.

Help please, I think I may be infected with Malware. I am having an issue with Firefox-Google-Yahoo search re-direct. When I use search and get the correct link, I keep getting redirected to unknown search engines or sites selling Golf equipment, or shoes, ect. My Webroot Spysweeper program pops up and blocks me from viewing these sites. Plus WOT also blocks the site with a warning that the re-directed site is know for spyware.

The problem started on Oct 3 when I was visiting a site I’ve been to many times before without incident. Suddenly my Adobe Reader 6.0.1 became activated without any prompting from me. Since I am on dial-up the Adobe Reader takes a long time to open, especially in Firefox and I was able to shut it down before it could reveal to me what it was trying to open. It took a minute or two before it closed down and as it struggled to obey my command, the screen turned a blank white with only the Adobe Reader showing. Then finally it shut down and I immediately disconnected and scanned my PC with Malwarebytes, which I’ve had for some time. Malwarebytes found several Trojan.Agents and Rootkit.TDSS, Malwarebyte’s quarantined all the bad stuff and since then all my scans have come up clean.

Still the re-direct issue continued. It seems to be a Firefox problem only for I can use Google, or Yahoo or whatever search engine I wish in my MSN browser with no problem.

Yesterday I downloaded and installed SuperAntiSpyware Free Edition. The first scan showed some malware associated with a Firefox add-on extension “coupon printer” that enabled me to print grocery coupons from places like coupon.com. I disabled it and was able to get into one site using Google search in FF and thought I solved the problem, but when I tried to go to Bleeping Computer’s website I got re-directed again. Even uninstalling the coupon extension from FF as well from my ADD/Remove panel had no effect. After uninstalling the offending software I scanned with SAS again and it came up clean.

I would appreciate someone looking at my log reports to see if I am infected. Thank you for your time and your help. Please Note that I was unable to upload the Root Repeal report so that it could be read in my previous attempt. I am therefore going to Copy and paste it below the DDS report. My apologies if this is an incorrect procedure.


DDS (Ver_09-09-29.01) - NTFSx86
Run by hp at 17:39:41.78 on Thu 10/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.303 [GMT -5:00]

AV: avast! antivirus 4.8.1356 [VPS 091008-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Documents and Settings\hp\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:9022
uInternet Settings,ProxyOverride = ;127.0.0.1;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [RecordNow!]
uRun: [IncrediMail] "c:\program files\incredimail\bin\IncMail.exe" /c
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Cpqset] "c:\program files\hpq\default settings\cpqset.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_03\bin\jusched.exe"
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] "c:\windows\system32\hphmon05.exe"
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [PhoneTray] "c:\program files\traysoft\phonetray\PhoneTray.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Update Page Content - c:\program files\msn\msnia\cc\msncc\wa\refreshpage.htm
IE: View All Originals On Page - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: View Original Image - c:\program files\msn\msnia\cc\msncc\wa\getoriginal.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
Trusted Zone: hp.com\www
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: {BE51D4E9-BFCD-4B8F-958B-0BE83463C3CC} = 209.244.0.3 209.244.0.4
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp\applic~1\mozilla\firefox\profiles\dmxnon2a.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - component: c:\documents and settings\hp\application data\mozilla\firefox\profiles\dmxnon2a.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-31 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-31 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-7-31 138680]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-5 1205760]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-7-31 254040]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-9-4 114672]
R3 PhoneTrayDriver;PhoneTrayDriver;c:\windows\system32\drivers\ptdrv.sys [2007-12-20 30032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-7-31 352920]
S3 WinPhlash;WinPhlash;\??\c:\docume~1\hp\locals~1\temp\rarsfx0\phlashnt.sys --> c:\docume~1\hp\locals~1\temp\rarsfx0\PHLASHNT.SYS [?]

=============== Created Last 30 ================

2009-10-08 00:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-06 21:32 <DIR> --d----- c:\program files\Secunia
2009-10-06 14:39 <DIR> --d----- c:\docume~1\hp\applic~1\Static IncrediMail Backup
2009-10-06 14:39 <DIR> --d----- c:\program files\Static IncrediMail Backup
2009-10-05 03:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-17 23:39 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-17 20:00 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-11 00:54 <DIR> --d----- c:\documents and settings\hp\Tracing
2009-09-11 00:50 <DIR> --d----- c:\program files\Microsoft
2009-09-11 00:50 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-09-10 18:30 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-21 04:46 450,560 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-18 11:20 3,062,272 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 11:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 02:18 233,472 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 02:18 4,960,256 -------- c:\windows\system32\dllcache\wmp.dll
2008-03-24 02:49 848 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:41:43.84 ===============

Root Repeal Log Report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 17:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4CA7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B78000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF4D98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x867555c0

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef574

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86739a18

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x867399a0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86755890

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x867150a8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cefa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef76e

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86755638

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x867554d0

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x86739bf8

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef72e

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86755728

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86739b80

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86755980

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x867557a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4cef8ae

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86755908

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x867556b0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf4e6c0b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86755818

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86755548

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 780) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 1232) Address: 0x10000000 Size: 28672

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8665ee90 Size: 369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x864a52e0 Size: 3361

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x862ed2b8 Size: 3401

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x866832a0 Size: 3425

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8674d850 Size: 262

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867cad08 Size: 760

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8655f9c0 Size: 1601

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8656b2c0 Size: 2514

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x865609f8 Size: 1545

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865861e8 Size: 742

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86554218 Size: 3560

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8656afa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x865c3888 Size: 979

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86692448 Size: 3001

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86638348 Size: 467

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8665ad78 Size: 649

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86721ac0 Size: 1344

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8667f360 Size: 164

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x86683b28 Size: 1241

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8667e2d8 Size: 3368

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86772790 Size: 926

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8667d288 Size: 1298

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8664f370 Size: 3217

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86692fa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86720f80 Size: 129

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86680388 Size: 705

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x866c7600 Size: 334

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x867697c8 Size: 1466

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8641b650

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x862c2a18

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x862c2b08

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x862c2a90

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8662ee90

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8641b740

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8641b6c8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86123b78

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8662ef08

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 09 October 2009 - 04:09 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\eventlog.dll
    %systemroot%\system32\scecli.dll
    %systemroot%\netlogon.dll
    %systemroot%\system32\cngaudit.dll
    %systemroot%\system32\sceclt.dll
    %systemroot%\ntelogon.dll
    %systemroot%\system32\logevent.dll

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 09 October 2009 - 06:04 PM

Hello Sam,

Thank you for your time and help. I didn't need to download malewarebyte's since I've had it installed for nearly a year now. I updated MBAM with no problem. Though it was slow due to being on dial-up. I made the scan which came up clean.

Then I did the OTL scan. That one produced two files OTL and Extras so I am posting both results. The OTL scan went smoothly without any glitches.

Overall my PC seems to be working normally. No slower than usual. My Avast Home Free updates with no problem and my Webroot spysweeper updates as well. The only issues is this re-direct business with Firefox. I tried other steps to fix the problem such as deleting Firefox's cookies from my user profile. But that didn't work either.

Hope these logs make sense to you. I cannot make sense of of them other than malewarebyt's showing I have 0 infections.

Ziva

OTL logfile created on: 10/9/2009 5:49:01 PM - Run 1
OTL by OldTimer - Version 3.0.18.4 Folder = C:\Documents and Settings\hp\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 523.20 Mb Available Physical Memory | 51.14% Memory free
2.40 Gb Paging File | 1.85 Gb Available in Paging File | 76.85% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 45.27 Gb Free Space | 81.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4105E587B6
Current User Name: hp
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/23 18:13:36 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/09/15 05:49:40 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/09/15 05:56:43 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2006/10/16 21:13:28 | 00,230,944 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2005/02/23 23:26:00 | 00,127,042 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/09/15 05:56:28 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2005/03/04 17:01:56 | 00,088,209 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2003/08/04 19:28:18 | 00,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\HPWuSchd.exe
PRC - [2004/05/12 15:18:56 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2006/10/16 21:13:32 | 00,087,584 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2004/08/25 07:01:41 | 00,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
PRC - [2003/05/22 21:55:38 | 00,483,328 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\hphmon05.exe
PRC - [2004/07/30 10:33:44 | 00,286,720 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
PRC - [2003/10/07 22:40:00 | 00,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apoint.exe
PRC - [2006/10/16 21:12:20 | 01,164,912 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2006/10/16 21:17:16 | 01,941,784 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2009/09/15 05:56:48 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2008/05/01 23:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/06/04 22:09:38 | 00,852,480 | ---- | M] () -- C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
PRC - [2009/05/13 15:40:08 | 06,345,840 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
PRC - [2003/10/07 22:40:00 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apntex.exe
PRC - [2009/09/15 11:42:42 | 01,998,576 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/09/07 17:37:08 | 00,189,896 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2008/05/03 02:55:14 | 00,202,752 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
PRC - [2008/05/03 02:55:14 | 00,186,368 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
PRC - [2009/04/21 18:26:50 | 00,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
PRC - [2009/02/06 17:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/09/12 00:46:45 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/09 17:20:42 | 00,520,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hp\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/10/16 21:13:28 | 00,230,944 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/09/15 05:49:40 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/09/15 05:56:43 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/09/15 05:56:28 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/09/15 05:54:13 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/08/04 03:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/07/27 17:25:24 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\SHARED\HPQWMI.exe -- (hpqwmi [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2005/02/23 23:26:00 | 00,127,042 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/11/02 22:40:12 | 00,174,656 | ---- | M] () -- C:\WINDOWS\System32\PSIService.exe -- (ProtexisLicensing [Disabled | Stopped])
SRV - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
SRV - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
SRV - [2009/07/23 18:13:36 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/09/15 05:53:24 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2004/02/01 18:22:00 | 00,100,384 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2004/08/25 08:09:22 | 00,043,672 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
DRV - [2005/03/04 17:02:20 | 01,066,278 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2001/08/17 10:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2004/05/08 12:21:44 | 00,035,840 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\System32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Running])
DRV - [2003/10/07 22:40:00 | 00,094,601 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2009/09/15 05:55:19 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/09/15 05:56:14 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/09/15 05:54:21 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/09/15 05:55:30 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/09/15 05:54:30 | 00,052,368 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2008/02/27 15:49:00 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt [System | Running])
DRV - [2004/08/04 13:05:20 | 00,341,760 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Stopped])
DRV - [2003/08/08 19:00:00 | 00,008,448 | ---- | M] (Texas Instruments Inc.) -- C:\WINDOWS\system32\DRIVERS\tiumflt.sys -- (DevUpper [Boot | Running])
DRV - [2004/04/14 10:36:50 | 00,007,432 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\EABFiltr.sys -- (eabfiltr [System | Running])
DRV - [2003/06/06 14:46:16 | 00,005,220 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\eabusb.sys -- (eabusb [On_Demand | Stopped])
DRV - [2003/05/14 14:19:52 | 00,051,056 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2003/05/14 14:19:54 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2003/05/14 14:17:54 | 00,021,488 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2009/07/30 15:10:06 | 00,114,672 | ---- | M] (QFX Software Corporation) -- C:\WINDOWS\System32\drivers\keyscrambler.sys -- (KeyScrambler [On_Demand | Running])
DRV - [2005/02/23 23:26:00 | 03,444,128 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/12/02 09:27:00 | 00,021,120 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp [Boot | Running])
DRV - [2007/12/20 10:40:48 | 00,030,032 | ---- | M] (Traysoft Inc.) -- C:\WINDOWS\System32\Drivers\ptdrv.sys -- (PhoneTrayDriver [On_Demand | Running])
DRV - [2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2003/07/30 04:02:00 | 00,017,168 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2009/09/15 11:42:46 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/09/15 11:42:48 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2009/09/15 11:42:44 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 02:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\System32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
DRV - [2004/01/13 18:40:28 | 00,612,032 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/06/30 14:38:38 | 00,114,048 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman [Boot | Running])
DRV - [2009/04/21 18:27:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv [Boot | Running])
DRV - [2008/01/04 22:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\System32\Drivers\sskbfd.sys -- (SSKBFD [On_Demand | Stopped])
DRV - [2008/06/30 14:38:45 | 00,039,264 | ---- | M] (Acronis) -- C:\WINDOWS\System32\DRIVERS\tifsfilt.sys -- (tifsfilter [Auto | Running])
DRV - [2008/06/30 14:38:44 | 00,395,744 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter [Boot | Running])
DRV - [2003/02/18 19:00:00 | 00,042,092 | ---- | M] (Texas Instruments Inc.) -- C:\WINDOWS\System32\drivers\tiumfwl.sys -- (tiumfwl [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\S-1-5-21-3860327061-1000508138-3552989476-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\S-1-5-21-3860327061-1000508138-3552989476-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;127.0.0.1;<local>
IE - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\S-1-5-21-3860327061-1000508138-3552989476-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Amazon.com"
FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: keyscrambler@qfx.software.corporation:2.5.0.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:0.0.0
FF - prefs.js..extensions.enabledItems: redirectcleaner@example.net:1.1.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20090918
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 01:47:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/08 16:57:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/08 16:57:30 | 00,000,000 | ---D | M]

[2008/08/27 18:49:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Extensions
[2008/08/27 18:49:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/09 14:52:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions
[2009/07/01 00:40:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/09/23 14:11:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/08/12 17:33:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/01 23:21:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/09/04 13:31:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\keyscrambler@qfx.software.corporation
[2009/10/07 20:49:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hp\Application Data\mozilla\Firefox\Profiles\dmxnon2a.default\extensions\redirectcleaner@example.net
[2008/03/28 01:32:12 | 00,001,406 | ---- | M] () -- C:\Documents and Settings\hp\Application Data\Mozilla\FireFox\Profiles\dmxnon2a.default\searchplugins\siteadvisor.gif
[2008/03/28 01:32:12 | 00,000,276 | ---- | M] () -- C:\Documents and Settings\hp\Application Data\Mozilla\FireFox\Profiles\dmxnon2a.default\searchplugins\siteadvisor.src
[2008/03/13 04:22:34 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\hp\Application Data\Mozilla\FireFox\Profiles\dmxnon2a.default\searchplugins\siteadvisor.xml
[2009/10/06 17:22:04 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/12 00:46:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/09/12 00:46:44 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 00:46:44 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/03/20 20:21:26 | 01,446,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 00:46:48 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2003/05/15 02:01:48 | 00,133,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2004/08/25 08:10:39 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2004/08/25 08:10:39 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/07/13 18:41:09 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/13 18:41:09 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/13 18:41:09 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/13 18:41:09 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/13 18:41:09 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/13 18:41:09 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/13 18:41:09 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (KeyScramblerBHO Class) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe ()
O4 - HKLM..\Run: [DXDllRegExe] File not found
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O4 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007..\Run: [RecordNow!] File not found
O4 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\..Trusted Domains: //@mail.mar@ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\..Trusted Domains: //@signup.mar@ ([]msn in My Computer)
O15 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\..Trusted Domains: hp.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-3860327061-1000508138-3552989476-1007\..Trusted Domains: 3 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewido.net/ewidoOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O30 - LSA: Authentication Packages - (m32\relog_ap.d) - File not found
O30 - LSA: Security Packages - (|) - File not found
O30 - LSA: Security Packages - (----) - File not found
O30 - LSA: Security Packages - (|) - File not found
O30 - LSA: Security Packages - (m]) - File not found
O30 - LSA: Security Packages - ((microsoft) - File not found
O30 - LSA: Security Packages - (corpora) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{ae9d6f36-7df2-11dd-8b9c-000fb04cb6ee}\Shell - "" = AutoRun
O33 - MountPoints2\{ae9d6f36-7df2-11dd-8b9c-000fb04cb6ee}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ae9d6f36-7df2-11dd-8b9c-000fb04cb6ee}\Shell\AutoRun\command - "" = E:\StarterOfficeGuardian.exe -- File not found
O33 - MountPoints2\{b30432c8-ec89-11dc-8975-000fb04cb6ee}\Shell\Auto\command - "" = Windows.scr
O33 - MountPoints2\{b30432c8-ec89-11dc-8975-000fb04cb6ee}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2009/10/06 14:39:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\hp\Application Data\Static IncrediMail Backup
[2009/09/10 18:30:26 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/10/08 00:58:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/09/11 00:50:50 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/10/06 21:32:31 | 00,000,000 | ---D | C] -- C:\Program Files\Secunia
[2009/10/06 14:39:29 | 00,000,000 | ---D | C] -- C:\Program Files\Static IncrediMail Backup
[2009/10/05 03:09:02 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/09/11 00:50:28 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/10/09 17:20:42 | 00,520,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hp\Desktop\OTL.exe
[2009/09/17 20:00:54 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/10/09 17:20:42 | 00,520,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hp\Desktop\OTL.exe
[2009/10/09 17:18:42 | 00,014,848 | ---- | M] () -- C:\Documents and Settings\hp\My Documents\DO.wps
[2009/10/09 14:23:26 | 00,023,773 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/10/09 14:23:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/09 14:22:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/09 14:22:53 | 10,727,46496 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/08 01:00:47 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/07 18:24:54 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/06 19:42:59 | 00,000,220 | ---- | M] () -- C:\Documents and Settings\hp\My Documents\BleepingPC Account.rtf
[2009/10/05 03:09:02 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\hp\Desktop\HijackThis.lnk
[2009/10/05 01:51:42 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/23 20:36:56 | 00,296,448 | ---- | M] () -- C:\WINDOWS\Xenofex.ini
[2009/09/20 21:00:31 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\hp\Desktop\CCleaner.lnk
[2009/09/18 00:26:55 | 00,001,646 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IncrediMail.lnk
[2009/09/15 05:59:36 | 01,279,968 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/09/15 05:56:21 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/09/15 05:56:14 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/09/15 05:55:30 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/09/15 05:55:19 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/09/15 05:54:30 | 00,052,368 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/09/15 05:54:21 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/09/15 05:53:24 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/09/15 05:53:01 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/09/11 12:37:59 | 00,219,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/11 00:53:39 | 00,049,448 | ---- | M] () -- C:\Documents and Settings\hp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files - No Company Name ==========
[2009/10/09 17:18:42 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\hp\My Documents\DO.wps
[2009/10/08 01:00:47 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/06 19:42:59 | 00,000,220 | ---- | C] () -- C:\Documents and Settings\hp\My Documents\BleepingPC Account.rtf
[2009/10/05 03:09:02 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\hp\Desktop\HijackThis.lnk
[2009/10/05 01:51:23 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/04/21 18:26:56 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2008/12/09 21:34:25 | 00,000,011 | ---- | C] () -- C:\WINDOWS\3DShadow.INI
[2008/09/17 18:00:22 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/09/16 17:11:38 | 00,296,448 | ---- | C] () -- C:\WINDOWS\Xenofex.ini
[2008/09/02 14:34:06 | 00,000,089 | ---- | C] () -- C:\WINDOWS\ULead32.ini
[2008/09/02 14:31:58 | 00,000,016 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2008/09/02 14:31:52 | 00,035,328 | ---- | C] () -- C:\WINDOWS\INETWH32.DLL
[2008/09/02 14:31:52 | 00,009,136 | ---- | C] () -- C:\WINDOWS\INETWH16.DLL
[2008/06/05 22:16:21 | 00,000,675 | ---- | C] () -- C:\WINDOWS\nvrph.ini
[2008/06/05 17:20:36 | 00,000,595 | ---- | C] () -- C:\WINDOWS\nvrbm.ini
[2008/05/28 18:28:06 | 00,000,489 | ---- | C] () -- C:\WINDOWS\fmachine.ini
[2008/04/20 01:19:03 | 00,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/03/13 00:48:49 | 00,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/03/11 17:26:27 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\fusioncache.dat
[2008/03/11 04:37:23 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/03/10 14:17:25 | 00,049,448 | ---- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/03/07 16:24:21 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/07 16:00:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\hp\Application Data\desktop.ini
[2008/03/07 16:00:31 | 05,369,550 | -H-- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\IconCache.db
[2004/08/25 08:58:57 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/25 08:00:44 | 00,001,508 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/08/25 07:54:53 | 00,000,894 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/08/25 07:01:06 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/08/07 08:16:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:10:08 | 00,000,883 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 07:58:22 | 00,000,604 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/07 00:47:16 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/07 00:46:50 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/03/08 19:40:12 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2004/03/08 19:40:12 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll
[2004/01/09 06:22:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/09/26 16:24:46 | 00,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/02/19 19:00:00 | 00,225,280 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F7862839
< End of report >

Attached Files


Edited by Buckeye_Sam, 09 October 2009 - 06:25 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 09 October 2009 - 06:29 PM

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


====================


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 09 October 2009 - 08:41 PM

Back again, Sam. I removed the old java files, and downloaded the latest version. I hope I d/l the correct one. I was given a choice between windows and windows 64. My PC has AMD Atholon 64, but I have no clue of what that is or if it's the same thing as Windows 64. I chose the windows version.

Took over 40 minutes to d/l but was easy to install. I had disconnected after d/l was complete, but as soon as I doubled click on the Java file exe my sign in window popped up so I reconnected. As far as I can tell, which isn't much, it installed correctly.

I then downloaded the GooRed fix, and disconnected. But when I double clicked on GoodredFix it did not work like you indicated. A message came up saying the Firefox was still running and I needed to shut it down. Since I had disconnected I assume it was shut down, so I clicked the button that said Force scan. There was no space to type in the number 1. It just scanned and the file I'm attaching came up.

Thank you again for your help and your time,

Ziva

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 09 October 2009 - 09:59 PM

Do you only experience the redirects with Firefox?
What version of Firefox are you using?

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 09 October 2009 - 11:24 PM

I have the latest version of Firefox. I can get to sites using the location bar in FF, I can view my Gmail account, and my Yahoo mail account. But if I use any search engines while in FF, I get re-directed to other sties. For instance if I type in www.bettycrocker.com I can get to the site. But if I do a search for Betty Crocker I got sent to an unknown shoe store website. I never catch the name because Webroot spysweeper and WOT block the site warning me that it is not safe. If I use Google or Gmail in my MSN browser I have no problems. It's very strange.

Here's the Gmer Log

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-09 23:06:52
Windows 5.1.2600 Service Pack 2
Running: download.exe; Driver: C:\DOCUME~1\hp\LOCALS~1\Temp\agxiyaod.sys


---- System - GMER 1.0.15 ----

SSDT 86741B70 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF4D4F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF4D4F574]
SSDT 8671D188 ZwCreateProcess
SSDT 86741020 ZwCreateProcessEx
SSDT 86741E40 ZwCreateThread
SSDT 867200A8 ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF4D4FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF4D4F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF4D4F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF4D4F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF4D4F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF4D4F76E]
SSDT 86741BE8 ZwQueueApcThread
SSDT 86741A80 ZwReadVirtualMemory
SSDT 8671D368 ZwRenameKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF4D4F72E]
SSDT 86741CD8 ZwSetContextThread
SSDT 8671D2F0 ZwSetInformationKey
SSDT 86741F30 ZwSetInformationProcess
SSDT 86741D50 ZwSetInformationThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF4D4F8AE]
SSDT 86741EB8 ZwSuspendProcess
SSDT 86741C60 ZwSuspendThread
SSDT 86741FA8 ZwTerminateProcess
SSDT 86741DC8 ZwTerminateThread
SSDT 86741AF8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 25FC 805014EC 4 Bytes CALL D8D6890C
.text ntkrnlpa.exe!ZwCallbackReturn + 2721 80501611 7 Bytes [1E, 74, 86, 60, 1C, 74, 86]
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF7434380]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MSN\MSNCoreFiles\msn.exe[2000] WININET.dll!InternetGoOnlineW 771F33C1 5 Bytes JMP 2013A45A C:\Program Files\MSN\MSNCoreFiles\msnmetal.dll (msnmetal/Microsoft Corporation)
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[2492] kernel32.dll!CreateThread + 1A 7C810661 4 Bytes CALL 00450771 C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\WINDOWS\explorer.exe[3068] SHELL32.dll!SHFileOperationW 7CA6FDEE 5 Bytes JMP 00B91102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 000169B0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00016960 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3100] kernel32.dll!VirtualFree 7C809AF4 5 Bytes JMP 00016990 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 867418A8
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 867418A8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 867418A8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 867418A8
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 867418A8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 867419A0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 867418A8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip 86666080
Device \Driver\Tcpip \Device\Ip 865D0A58
Device \Driver\Tcpip \Device\Ip 864D27C0
Device \Driver\Tcpip \Device\Ip 863CE0B8
Device \Driver\Tcpip \Device\Ip 8672C780

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\Tcpip \Device\Tcp 86666080
Device \Driver\Tcpip \Device\Tcp 865D0A58
Device \Driver\Tcpip \Device\Tcp 864D27C0
Device \Driver\Tcpip \Device\Tcp 863CE0B8
Device \Driver\Tcpip \Device\Tcp 8672C780

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\atapi \Device\Ide\IdePort0 [F74279F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74279F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort1 [F74279F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F74279F2] atapi.sys[unknown section]
Device \Driver\Tcpip \Device\Udp 86666080
Device \Driver\Tcpip \Device\Udp 865D0A58
Device \Driver\Tcpip \Device\Udp 864D27C0
Device \Driver\Tcpip \Device\Udp 863CE0B8
Device \Driver\Tcpip \Device\Udp 8672C780

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp 86666080
Device \Driver\Tcpip \Device\RawIp 865D0A58
Device \Driver\Tcpip \Device\RawIp 864D27C0
Device \Driver\Tcpip \Device\RawIp 863CE0B8
Device \Driver\Tcpip \Device\RawIp 8672C780

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST 86666080
Device \Driver\Tcpip \Device\IPMULTICAST 865D0A58
Device \Driver\Tcpip \Device\IPMULTICAST 864D27C0
Device \Driver\Tcpip \Device\IPMULTICAST 863CE0B8
Device \Driver\Tcpip \Device\IPMULTICAST 8672C780

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Thanks again.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 10 October 2009 - 07:55 AM

Please open Firefox and type this into your address bar.

about:plugins

Copy and paste all the text that appears.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 10 October 2009 - 01:31 PM

Here's the Plugin list

Installed plugins
Find more information about browser plugins at mozilla.org.
Help for installing plugins is available from plugindoc.mozdev.org.
Java Deployment Toolkit 6.0.160.1

File name: npdeploytk.dll
NPRuntime Script Plug-in Library for Java™ Deploy

MIME Type Description Suffixes Enabled
application/npruntime-scriptable-plugin;DeploymentToolkit Yes
Mozilla Default Plug-in

File name: npnul32.dll
Default Plug-in

MIME Type Description Suffixes Enabled
* Mozilla Default Plug-in * No
Windows Genuine Advantage

File name: npLegitCheckPlugin.dll
1.7.0069.2

MIME Type Description Suffixes Enabled
application/WGA-plugin npLegitCheckPlugin * Yes
QuickTime Plug-in 6.5.1

File name: npqtplugin.dll
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.

MIME Type Description Suffixes Enabled
video/quicktime QuickTime Movie mov,qt Yes
video/3gpp2 3GPP2 media file 3g2,3gp2 Yes
audio/3gpp2 3GPP2 media file 3g2,3gp2 Yes
video/sd-video SD video file sdv Yes
application/x-mpeg AMC media file amc Yes
image/x-macpaint MacPaint image file pntg,pnt,mac Yes
image/pict PICT image file pict,pic,pct Yes
QuickTime Plug-in 6.5.1

File name: npqtplugin2.dll
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.

MIME Type Description Suffixes Enabled
image/x-pict PICT image file pict,pic,pct Yes
image/x-quicktime QuickTime Image File qtif,qti Yes
Adobe Acrobat

File name: nppdf32.dll
Adobe Acrobat Plug-In Version 6.00 for Netscape

MIME Type Description Suffixes Enabled
application/pdf Acrobat Portable Document Format pdf Yes
application/vnd.fdf Acrobat Forms Data Format fdf Yes
application/vnd.adobe.xfdf XML Version of Acrobat Forms Data Format xfdf Yes
application/vnd.adobe.xdp+xml Acrobat XML Data Package xdp Yes
application/vnd.adobe.xfd+xml Adobe FormFlow99 Data File xfd Yes
Shockwave Flash

File name: NPSWF32.dll
Shockwave Flash 10.0 r32

MIME Type Description Suffixes Enabled
application/x-shockwave-flash Adobe Flash movie swf Yes
application/futuresplash FutureSplash movie spl Yes
Windows Presentation Foundation

File name: NPWPF.dll
Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

MIME Type Description Suffixes Enabled
application/x-ms-xbap XAML Browser Application xbap Yes
application/xaml+xml XAML Document xaml Yes
Windows Media Player Plug-in Dynamic Link Library

File name: npdsplay.dll
Npdsplay dll

MIME Type Description Suffixes Enabled
application/asx Media Files * Yes
video/x-ms-asf-plugin Media Files * Yes
application/x-mplayer2 Media Files * Yes
video/x-ms-asf Media Files asf,asx,* Yes
video/x-ms-wm Media Files wm,* Yes
audio/x-ms-wma Media Files wma,* Yes
audio/x-ms-wax Media Files wax,* Yes
video/x-ms-wmv Media Files wmv,* Yes
video/x-ms-wvx Media Files wvx,* Yes
Microsoft® DRM

File name: npdrmv2.dll
DRM Netscape Network Object

MIME Type Description Suffixes Enabled
application/x-drm-v2 Network Interface Plugin nip Yes
Microsoft® DRM

File name: npwmsdrm.dll
DRM Store Netscape Plugin

MIME Type Description Suffixes Enabled
application/x-drm Network Interface Plugin nip Yes

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 10 October 2009 - 04:26 PM

That all looks ok. Can you post the log from Spysweeper so I can see what it's detecting?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 10 October 2009 - 05:22 PM

Thank you again for all your help.

Webroot's Spysweeper does not create log files. After a sweep it just shows a summery. I did the sweep and it came up clean. I made a screen shot so you can see it.

P.S.

Don't know if this is helpful or not, but I just made another screenshot of the history list in FF search. The one with the red circle is what I keep seeing when I get re-directed to other websites. I also noticed on top that is show's Google listed as WCRI - Search Google. That seems suspicious to me.

Ziva

Attached Files


Edited by Ziva, 10 October 2009 - 05:47 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 11 October 2009 - 08:12 AM

To view the session log:
1. In the Icon panel, click Options.
2. Click the Sweep tab.
3. Click the View Session Log link at the bottom of the panel.
A Session Log panel opens and shows all activity related to Webroot software operations.
By default, the Webroot software shows the last 20 log sessions, but you can modify that
amount by changing the value at the top, right of the panel.
If you want to save log activity to a file, click Save to File and enter a log name.

Please post this information.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 11 October 2009 - 03:09 PM

Hi Sam,

Show's you how observant I am. I've had Webroot's SpySweeper for over 3 years and never noticed.

Here's the log from SpySweeper.

Attached Files



#14 Ziva

Ziva
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 11 October 2009 - 09:11 PM

Hi Sam,

I just tried using Internet Explorer which I have Google as the home page. I have the same click hijack-redirect problem as I do with any search engine in Firefox. Only my MSN browser is not affect by this pest. I have IE 6. Sure wish I knew what the culprit was/is.

Thanks again for all your help and your time,

Ziva

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 AM

Posted 12 October 2009 - 06:49 AM

Please disable Spysweeper and then try a search.

* Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
* On the left click "shields" and then uncheck everything there.
* Uncheck "home page shield".
* Uncheck "automatically restore default without notification".
* Exit the program.


Let me know what happens.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users