Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Microsoft Sees 24% Rise in Tech Support Scam Complaints

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Google/Browser Hijack Redirect - Please Help

Started by Westee , Nov 09 2009 06:22 PM

This topic is locked

25 replies to this topic

#1 Westee

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 09 November 2009 - 06:22 PM

I recently was infected with some rogue anit-virus scare/spyware program. It was creating pop ups and all sorts of fake warnings, threats, etc on my PC. I ran MalwareBytes and AVG scans, which detected a few issues. It removed them then I restarted my PC and ran CCleaner. This was yesterday.

Everything seemed ok until this evening when I noticed that the searches in Google where getting hijacked, and redirected to other webpages. My PC is also constantly sounding like it is processing something but does not show any major processes running in the Task Manager.

I am not sure what to do, so I came here after reading some about some similar issues here on the forum. Please Advise!

<--- me right now, lol.

Here is my DDS.txt report as requested:
-----------------------------------------------------

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 17:03:54.45 on Mon 11/09/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1798 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\lxbmcoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Users\Administrator\AppData\Local\Temp\c.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Lexmark 4200 Series\LXBMmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\TypeItIn\TypeItIn.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Documents\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.alienware.com/mothership
uDefault_Page_URL = hxxp://www.alienware.com/mothership
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [TurboNet] c:\users\administrator\appdata\local\temp\c.exe
mRun: [<NO NAME>]
mRun: [VBTUCopy] c:\program files\vbtucopy\VBTUCopy.exe /a /f
mRun: [lxbmmon.exe] "c:\program files\lexmark 4200 series\lxbmmon.exe"
mRun: [Lexmark 4200 Series Fax Server] "c:\program files\lexmark 4200 series\fm3032.exe" /s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\typeitin.lnk - c:\program files\typeitin\TypeItIn.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jr1916~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: badarticle.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: WB - c:\program files\alienguise\fastload.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\8kr72t2h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.dogpile.com/rescuefctb/ws/redir?_iceUrl=true&qsrc=freecause&user_id=12684181&tool_id=58485&qkw=
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\8kr72t2h.default\extensions\{2e768a0b-9ee3-4e60-babc-9ff4bc4aacfb}\components\Engine.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-26 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-26 297752]
R2 lxbm_device;lxbm_device;c:\windows\system32\lxbmcoms.exe -service --> c:\windows\system32\lxbmcoms.exe -service [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-26 1007104]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-5-25 110336]
S3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNIMP50.sys [2008-12-29 21504]
S3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNISP50.sys [2008-12-29 20480]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111v.sys [2009-2-7 870400]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-5-28 192512]
S4 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\micro innovations\wireless keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
S4 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-25 30152]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-11-09 22:44:12 0 d-sh--w- c:\windows\system32\%APPDATA%
2009-11-09 22:41:21 0 d-s---w- C:\ComboFix
2009-11-09 22:07:33 77312 ----a-w- c:\windows\MBR.exe
2009-11-09 22:07:33 267264 ----a-w- c:\windows\PEV.exe
2009-11-09 22:07:32 98816 ----a-w- c:\windows\sed.exe
2009-11-09 22:07:32 161792 ----a-w- c:\windows\SWREG.exe
2009-11-09 19:33:04 169984 ----a-w- c:\windows\msa.exe
2009-11-09 03:48:32 0 d-----w- c:\program files\World of Warcraft
2009-11-09 03:30:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 03:30:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 03:30:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 01:04:37 27648 ----a-w- c:\windows\system32\bjoj.pko
2009-11-08 15:17:14 0 d-----w- c:\programdata\Blizzard Entertainment
2009-11-07 22:36:03 0 d-----w- c:\programdata\Blizzard
2009-11-04 16:29:23 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-03 11:20:09 0 d-----w- c:\users\administrator\dwhelper
2009-11-02 17:28:56 11776 ----a-w- c:\windows\system32\TypeItIn28.dll
2009-11-02 17:28:55 0 d-----w- c:\program files\TypeItIn
2009-10-27 05:25:38 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 05:25:15 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 05:24:58 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-27 05:24:58 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-21 20:04:08 2742 ----a-w- c:\windows\system32\FilterData.dat
2009-10-21 05:01:03 0 d-----w- c:\program files\NCSoft
2009-10-18 20:47:01 0 d-----w- c:\program files\InnerSpace
2009-10-15 03:53:29 0 d-----w- c:\program files\Ventrilo
2009-10-15 03:53:21 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

==================== Find3M ====================

2009-11-09 18:12:36 2140 ----a-w- c:\windows\bthservsdp.dat
2009-10-01 15:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 03:17:50 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-24 03:17:50 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-24 03:17:50 143360 ----a-w- c:\windows\inf\infstor.dat
2009-09-23 14:47:59 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-23 14:32:41 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-23 05:18:12 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-09-14 09:29:50 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-26 21:35:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2008-10-07 21:09:03 174 --sha-w- c:\program files\desktop.ini
2007-09-05 16:01:02 490 ----a-w- c:\program files\rsm.dpu
2007-09-05 16:01:02 1752 ----a-w- c:\program files\rsm.html
2007-09-05 15:51:37 459 ----a-w- c:\program files\popup.dpu
2007-09-05 15:51:37 1752 ----a-w- c:\program files\popup.html
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:05:05.93 ===============

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 10 November 2009 - 08:24 AM

Well, all the software got reinstalled somehow lol, spent about 6 hours messing with it, and got rid of it 3-4 times. But upon reboot it kept coming back again again. It would cause a blue screen of death everytime I tried to run malwarebytes this time, so I finally got it to run using a random name with the .exe file and running it from safe mode.

The software/ spyware causing the problem is: Antivirus System Pro.

I decided to just run a system restore point from a few days ago. So far everthing seems fine. I will let you know how it goes.

Thanks.

#3 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 10 November 2009 - 01:49 PM

Ok well the Antivirus Sysytem Pro is gone. But all the browsers I use are still hijacked in google search (not sure about the other engines)

So the System Restore did not work or I did not go far enough back.

Can someone help me? Pretty Please...

Edited by Orange Blossom, 21 October 2010 - 09:05 PM.
Removed no longer relevant content. ~ OB

#4 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 15 November 2009 - 07:42 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#5 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 17 November 2009 - 10:21 AM

Hi,

Thanks for the reply. I have added the latest DDS.txt and attach.txt below.

I was unable to run GMER for some reason. I tried it 6-7 times, and everytime about half way thru the scan it would cause a Blue Screen and then restart the computer. On the very first try it almost made it thru all the files. But on the other attempts to run it, it would hang on \\Devices\Shadowdisk\????? (something) I deleted the first version I downloaded and tried a new install, did this 3-4 times.

Thanks. Please advise on what to do next.

DDS.txt:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 8:05:43.40 on Tue 11/17/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_07

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.alienware.com/mothership
uDefault_Page_URL = hxxp://www.alienware.com/mothership
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
mRun: [<NO NAME>]
mRun: [lxbmmon.exe] "c:\program files\lexmark 4200 series\lxbmmon.exe"
mRun: [Lexmark 4200 Series Fax Server] "c:\program files\lexmark 4200 series\fm3032.exe" /s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\8kr72t2h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.dogpile.com/rescuefctb/ws/redir?_iceUrl=true&qsrc=freecause&user_id=12684181&tool_id=58485&qkw=
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\8kr72t2h.default\extensions\{2e768a0b-9ee3-4e60-babc-9ff4bc4aacfb}\components\Engine.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-11-16 18:11 <DIR> --d----- c:\program files\AddOn Studio for World of Warcraft
2009-11-10 19:28 2,036,736 a------- c:\windows\system32\win32k.sys
2009-11-10 19:28 355,328 a------- c:\windows\system32\WSDApi.dll
2009-11-10 13:07 <DIR> --d----- c:\program files\AskBarDis
2009-11-10 13:05 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-11-10 13:05 <DIR> --d----- c:\program files\Zone Labs
2009-11-10 13:02 350,192 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-11-10 13:02 293,528 a------- c:\windows\system32\drivers\vsdatant.sys
2009-11-10 13:02 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-11-10 13:00 <DIR> --d----- c:\programdata\CheckPoint
2009-11-10 13:00 <DIR> --d----- c:\progra~2\CheckPoint
2009-11-10 13:00 <DIR> --d----- c:\windows\Internet Logs
2009-11-10 11:31 <DIR> --d----- c:\program files\Trend Micro
2009-11-10 07:31 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-10 07:28 <DIR> --d-h--- C:\$AVG
2009-11-10 07:27 <DIR> --d----- c:\programdata\avg9
2009-11-10 07:27 <DIR> --d----- c:\progra~2\avg9
2009-11-10 07:17 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 07:17 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-10 00:56 0 a---h--- c:\windows\system32\pebenebu
2009-11-10 00:56 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-11-09 21:38 206,452 a------- C:\MGlogs.zip
2009-11-09 21:38 <DIR> --d----- C:\MGtools
2009-11-09 21:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 20:12 0 a--sh--- C:\-1540018669
2009-11-09 16:41 <DIR> --ds---- C:\ComboFix
2009-11-08 21:48 <DIR> --d----- c:\program files\World of Warcraft
2009-11-08 09:17 <DIR> --d----- c:\programdata\Blizzard Entertainment
2009-11-08 09:17 <DIR> --d----- c:\progra~2\Blizzard Entertainment
2009-11-07 16:36 <DIR> --d----- c:\programdata\Blizzard
2009-11-07 16:36 <DIR> --d----- c:\progra~2\Blizzard
2009-11-04 10:29 1,638,912 a------- c:\windows\system32\mshtml.tlb
2009-11-03 05:20 <DIR> --d----- c:\users\administrator\dwhelper
2009-11-02 11:28 11,776 a------- c:\windows\system32\TypeItIn28.dll
2009-11-02 11:28 <DIR> --d----- c:\program files\TypeItIn
2009-10-31 19:18 276,299,489 a------- c:\windows\MEMORY.DMP
2009-10-26 23:25 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-26 23:25 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-26 23:24 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-26 23:24 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-21 14:04 2,742 a------- c:\windows\system32\FilterData.dat
2009-10-20 23:01 <DIR> --d----- c:\program files\NCSoft
2009-10-18 14:47 <DIR> --d----- c:\program files\InnerSpace

==================== Find3M ====================

2009-11-16 20:07 2,140 a------- c:\windows\bthservsdp.dat
2009-11-16 17:55 51,200 a------- c:\windows\inf\infpub.dat
2009-11-10 13:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-11-10 13:05 143,360 a------- c:\windows\inf\infstor.dat
2009-10-01 09:29 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-23 08:47 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-22 23:18 319,456 a------- c:\windows\DIFxAPI.dll
2009-09-10 10:48 218,624 a------- c:\windows\system32\msv1_0.dll
2009-09-04 05:41 60,928 a------- c:\windows\system32\msasn1.dll
2009-08-28 20:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 20:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 20:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 20:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 18:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 18:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-26 23:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 23:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-26 23:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 21:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2008-10-07 15:09 174 a--sh--- c:\program files\desktop.ini
2008-10-05 20:08 3,393 a------- c:\users\admini~1\appdata\roaming\SAS7_000.DAT
2008-07-12 08:37 23 a------- c:\users\administrator\jagex_runescape_preferences.dat
2008-01-26 13:28 1,024 a------- c:\programdata\pdfdoc2.dll
2008-01-26 13:28 1,024 a------- c:\progra~2\pdfdoc2.dll
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-08-10 00:56 92,160 a--sh--- c:\windows\system32\fiyamepe.dll
2009-08-10 00:56 45,056 a--sh--- c:\windows\system32\kiyituhe.dll
2009-08-10 00:56 39,424 a--sh--- c:\windows\system32\rokewezi.dll
2009-08-09 20:12 52,736 a--sh--- c:\windows\system32\rutijeri.dll

============= FINISH: 8:06:48.45 ===============

Attach.txt:

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Add or Remove Adobe Creative Suite 3 Design Premium
AddOn Studio for World of Warcraft
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.2 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGC
AGEIA PhysX v6.12.02
AHV content for Acrobat and Flash
AIO_CDA_ProductContext
AIO_CDA_Software
AIO_Scan
Aion
AlienGUIse Theme Manager
AMDAway INF
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Available Domains Professional Edition 4.1.1
AvantGo Client
avast! Antivirus
BufferChm
C3100
c3100_Help
Camtasia Studio 4
Camtasia Studio 5
CCleaner (remove only)
CDBurnerXP
Codec 8.1 build 12
Copy
CopySafe Plugin
Curse Client
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DivX Content Uploader
DivX Web Player
DocProc
DocProcQFolder
Doom 3
Dora Knows Your Name
Dragon NaturallySpeaking 9
DSL Speed V4.2
ESET Online Scanner v3
eSupportQFolder
Fax
FileZilla Client 3.2.8.1
Flash Optimizer
Google Toolbar for Internet Explorer
Google Updater
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life: Blue Shift
Hide My IP 2008
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB946581)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB947173)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2008 Shell (isolated mode) - ENU (KB947789)
Hotfix for Office (KB950278)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart.All-In-One Driver Software 8.0 .A
HP Solution Center 8.0
HP Update
HP Wireless Multimedia Keyboard and Mouse Driver V1.0
HPProductAssistant
HPSSupply
HTML Executable HTML Viewer Runtime
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Lexmark 4200 Series
Malwarebytes' Anti-Malware
MarketResearch
Micro Niche Finder
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio Shell 2008 Service Pack 1 - ENU
Microsoft Visual Studio Web Authoring Component
MobileMe Control Panel
Mozilla Firefox (3.0.15)
Mozilla Firefox (3.0b5)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MWSnap 3
NCsoft Launcher
Nero 7 Essentials
Netflix Movie Viewer
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111
Niche Inspector
NVIDIA Drivers
Opera 10.01
Opposing Force
Palm VersaMail™
palmOne
PDF Settings
PDFCreator
PIXELRULER
PixiePack Codec Pack
Platform
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Safari
Scan
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SmartFTP Client
SolutionCenter
Status
Steam
Steel-Link.com Suite
SWF Optimizer
Synergy
System Requirements Lab
Team Fortress Classic
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
VC 9.0 Runtime
Ventrilo Client
VIA Platform Device Manager
VirtualDub Filter Pack 1.1
Warhammer Online - Age of Reckoning
WebReg
WIDCOMM Bluetooth Software 6.0.1.4400
Windows Installer Clean Up
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinZip 11.1
Wireless Keyboard & Mouse Driver
Word to PDF Converter 3.00
World of Warcraft
World of Warcraft Trial
XSite Pro
XSitePro2
Yahoo! Messenger
Zmeil 2.1
ZoneAlarm

==== End Of File ===========================

Should I keep trying to run GNMER? Thanks.

#6 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 17 November 2009 - 11:31 AM

Hi,

Deselect Devices and Sections from the GMER options and try to run it again. If still fails, see if you have better luck in safe mode.

Also, it seems that you've run ComboFix there (not advisable without supervisor!). Post contents of c:\ComboFix.txt file. The file should be already present after your earlier run.

Do you happen to have a topic open at MajorGeeks by any chance too?

Microsoft Windows Insider MVP 2016-2017

#7 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 17 November 2009 - 07:50 PM

Hi,

No this is the only topic that I have started, I have not started one on any other forums.

I could not find the Combofix.txt file under c:\ . It was ran last week sometime I think. The program is still on the pc at C:\Combofix\ , should I remove it (did not see the .txt file there either)?

Deselecting sections and devices allowed GMER run. Here is the info from it:

*I must have had the Files unselected to cause it did run them. I will run that this evening and post it too*

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-17 18:42:01
Windows 6.0.6002 Service Pack 2
Running: 6khowcs0.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\awaoqkow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x9157D880]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x9157D4E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x9157A828]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x91590D9C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x9157DC36]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x9158EAF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x9158ED12]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x91592780]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x9157DCDE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x9157AD0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x91591698]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x91591414]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x9158E4F8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x91591BC6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x91591C3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x91591D2E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x9157ABA2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x9158FF18]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x91592370]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x91591DA6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x9157D16A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x915921B0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x9157D680]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x9157AEF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x9159111A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x9158F486]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x9158F362]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x9158EF30]

INT 0x52 ? 88AD1BF8
INT 0x62 ? 88AD1BF8
INT 0x72 ? 85F63BF8
INT 0x82 ? 85F63BF8
INT 0x92 ? 85F63BF8
INT 0x92 ? 85F63BF8
INT 0x92 ? 88AD1BF8
INT 0x92 ? 85F63BF8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[648] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000C0002
IAT C:\Windows\system32\services.exe[648] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000C0000
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D77817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DCA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D7BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D6F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D6E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73DA8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D7DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D6FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D6FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73DFCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73D9C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D6D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D66853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D6687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D72AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002760c6886 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAB 0xC0 0xEF 0x29 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF9 0x1C 0x1E 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x57 0x12 0xDE 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760c6886
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAB 0xC0 0xEF 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDB 0xD2 0x82 0x37 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x57 0x12 0xDE 0xA5 ...
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0002760c6886 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAB 0xC0 0xEF 0x29 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDB 0xD2 0x82 0x37 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x57 0x12 0xDE 0xA5 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11A1645C-7B29-933A-2B53-119B214F09F4}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5EFA93CC-508E-63BB-35EC-C3C4FA308110}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5EFA93CC-508E-63BB-35EC-C3C4FA308110}@bbfhmmengclgmdfhjikpkfpmkoclebfpapkb 0x61 0x62 0x61 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5EFA93CC-508E-63BB-35EC-C3C4FA308110}@abfhmmengclgmdfhjidpondipondbgmfni 0x67 0x62 0x6A 0x67 ...

---- EOF - GMER 1.0.15 ----

#8 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 18 November 2009 - 01:01 AM

Hi,

Uninstall Daemon Tools and then download SPTD setup file here and execute it.

In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation.

When done, do as instructed in ComboFix tutorial to download and run a fresh copy of ComboFix. Post back its log & fresh dds log.

Microsoft Windows Insider MVP 2016-2017

#9 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 18 November 2009 - 04:33 PM

I uninstalled Daemon Tools and did the SPTD uninstall.

I however cannot get Combofix to work. At first when I downloaded it, and tried installing it, it kept saying corrupt files and to reinstall it. It would never work. So I downloaded it on my other pc and transferred on a flash drive to this one. It would let me open it then, but when it tried to run on the blue screen it would say Administor Access Denied. So I ran it as admin, and still got the same thing. It would save the registry files, but would then just sit there on the scanning part of it. I let it try for around an hour.

Not sure if you still wanted the dds.txt without running that so I haven't done that yet.

Thanks.

#10 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 18 November 2009 - 04:44 PM

Hi,

If you had protection software disabled and still ComboFix didn't make any progress please reboot into safe mode and run it there.

Microsoft Windows Insider MVP 2016-2017

#11 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 19 November 2009 - 08:05 PM

Hi,

Yea I had Avast turned off and zonealarm disabled. I tried to run it in safe mode. And I still get this message when trying to run it:

Access Denied Admin Permissions are needed to use the selected options. Use an Admin command prompt to complete these tasks.

That happens in the combfix app after it loading. It did act like it was scanning. I let it run for 3-4 hours, then checked back on it and there was a popup message saying:

Combofix has detected the presence of rootkit activity and needs to reboot the machine.

There has never been in Stages complete. I reboot then retried to scan but it just hung there again.

#12 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 20 November 2009 - 01:37 AM

Hi,

Disable UAC (user account control) by following "Disable UAC on Windows Vista" -part instructions here. See if you're able to run ComboFix after that.

Microsoft Windows Insider MVP 2016-2017

#13 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 22 November 2009 - 09:13 AM

Hi,

I had UAC shut off when I did try to run it. I double checked that is was off, and tried to run it again, but still am having the same issues with it.

#14 Blade81

Bleepin' Rocker

Malware Response Team
6,465 posts
OFFLINE

Gender:Male
Location:Finland
Local time:08:52 AM

Posted 22 November 2009 - 01:08 PM

Hi,

Please get a fresh copy of GMER and run it (see if you're able to run the scan without disabling any GMER options this time). Post back the report.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Microsoft Windows Insider MVP 2016-2017

#15 Westee

Topic Starter

Members
13 posts
OFFLINE

Local time:01:52 AM

Posted 25 November 2009 - 08:55 AM

Hi,

Sorry for the late response I have had the flu the last few days, and am just getting around again.

Anyway, I was unable to run GMER with anything unselected as it still crashes the pc. Here is the Win32kDiag.txt

Running from: C:\Users\Administrator\Desktop\Win32kDiag.exe Log file at : C:\Users\Administrator\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\Windows'... Cannot access: C:\Windows\bthservsdp.dat [1] 2009-11-20 01:18:17 2907 C:\Windows\bthservsdp.dat () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-11-24 13:32:24 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-11-24 13:32:02 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-11-24 13:32:13 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-11-24 13:32:13 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl [1] 2009-11-24 13:33:27 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f.manifest [1] 2009-09-23 08:33:15 18472 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f.manifest () [1] 2009-04-10 23:37:08 18472 C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f.manifest () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_aelupsvc.dll_f420497b [1] 2009-09-23 08:33:15 24576 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_aelupsvc.dll_f420497b () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_apphelp.dll_7ce69c4a [1] 2009-09-23 08:33:15 171008 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_apphelp.dll_7ce69c4a () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_sdbinst.exe_8725e339 [1] 2009-09-23 08:33:15 20992 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_sdbinst.exe_8725e339 () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_shimeng.dll_2036b947 [1] 2009-09-23 08:33:15 111104 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6002.18005_none_d6fc7cca49dba20f_shimeng.dll_2036b947 () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47.manifest [1] 2008-10-07 14:44:30 198829 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47.manifest () [1] 2008-01-18 23:10:22 198829 C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47.manifest () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47_activeds.dll_662643d7 [1] 2008-10-07 14:44:31 204800 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47_activeds.dll_662643d7 () Cannot access: C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47_activeds.tlb_662648dd [1] 2008-10-07 14:44:31 111616 C:\Windows\winsxs\Backup\x86_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.0.6001.18000_none_57f606a87e892d47_activeds.tlb_662648dd ()

It gave some kind of errors in the beginning too. Not sure if the scan is what you are looking for or not.

Should I run GMER again with those options deselected? Thanks.