Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd Nexplorer popup type infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Unbelieve

Unbelieve

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 23 November 2009 - 05:29 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/270562/annoying-nexplore-popup/ ~ OB

I'm suffering from some sort of infection that recognizes what web page I'm looking at, and will open up a similar seeming page like it.
i open google = Nexplorer opens as well
i open my college home page = an add saying Three easy steps to get your online degree
i open eBay = an ad for a secret government auction sight
i open my insurance sight = an ad saying how i can save 500 dollars a year
get the idea?
my Firefox pop up blocker is on so i know its not that.
and no odd processes stick out in task manager.
i still don't recognize half the stuff in process explorer so i really cant say in that aspect.

DDS.scr wont complete so i was told to list OTL log instead.

Attached Files


Edited by Orange Blossom, 23 November 2009 - 06:32 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:31 AM

Posted 24 November 2009 - 08:31 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Unbelieve

Unbelieve
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 24 November 2009 - 04:02 PM

Hello Sam,

heres the log


ComboFix 09-11-23.06 - DemondLoki 11/24/2009 14:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2144 [GMT -6:00]
Running from: c:\documents and settings\DemondLoki\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bekiniso.dll
c:\windows\system32\bipamowo.dll
c:\windows\system32\bomeseje.dll
c:\windows\system32\dazeneho.dll
c:\windows\system32\donovuyi.dll
c:\windows\system32\dujuruto.dll
c:\windows\system32\famafoha.dll
c:\windows\system32\galipiha.dll
c:\windows\system32\gofizesa.dll
c:\windows\system32\gohejane.dll
c:\windows\system32\gomepeki.dll
c:\windows\system32\hemezawo.dll
c:\windows\system32\hohesoso.dll
c:\windows\system32\jisagoyi.dll
c:\windows\system32\kakugaye.dll
c:\windows\system32\navaguke.dll
c:\windows\system32\nehejipe.dll
c:\windows\system32\nepuparu.dll
c:\windows\system32\nihiwuga.dll
c:\windows\system32\nitizebi.dll
c:\windows\system32\pajorifo.dll
c:\windows\system32\pipemuyo.dll
c:\windows\system32\rabivufu.dll
c:\windows\system32\reperoro.dll
c:\windows\system32\saneneje.dll
c:\windows\system32\sufohuwe.dll
c:\windows\system32\suzezufu.dll
c:\windows\system32\vekukako.dll
c:\windows\system32\viyubabe.dll
c:\windows\system32\wotohuhi.dll
c:\windows\system32\wunezuku.dll
c:\windows\system32\yejudogi.dll
c:\windows\system32\yetogusu.dll
c:\windows\system32\yihamidi.dll
c:\windows\system32\yojohebu.dll
c:\windows\system32\zaroyisu.dll
c:\windows\system32\zenapepe.dll
c:\windows\Tasks\xnrdulhj.job

----- BITS: Possible infected sites -----

hxxp://82.98.231.98
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-24 12:53 . 2009-11-24 13:03 -------- d-----w- c:\documents and settings\DemondLoki\Local Settings\Application Data\Deployment
2009-11-24 12:52 . 2009-11-24 20:12 571088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-24 12:51 . 2009-11-24 12:51 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-24 12:51 . 2009-11-24 12:51 -------- d-----w- c:\program files\MSBuild
2009-11-24 10:38 . 2009-11-24 10:38 -------- d-----w- c:\program files\Reference Assemblies
2009-11-24 10:38 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-24 10:38 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-24 10:38 . 2009-11-24 10:38 -------- d-----w- C:\4b0d03c1f86cff56f2aea892
2009-11-24 10:38 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-24 10:38 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-24 10:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-24 10:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-24 10:38 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-24 10:35 . 2009-11-24 10:35 -------- d-----w- c:\program files\MSXML 6.0
2009-11-24 10:31 . 2009-11-24 10:31 -------- d-----w- C:\ed2ab3dead0e01ef8bad3b2a963a
2009-11-24 10:31 . 2009-11-24 10:31 -------- d-----r- C:\AHCache
2009-11-23 19:20 . 2009-11-23 19:20 117760 ----a-w- c:\documents and settings\DemondLoki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-23 19:20 . 2009-11-23 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-23 19:20 . 2009-11-23 19:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 19:20 . 2009-11-23 19:20 -------- d-----w- c:\documents and settings\DemondLoki\Application Data\SUPERAntiSpyware.com
2009-11-19 02:24 . 2009-11-19 02:24 -------- d-----w- c:\documents and settings\DemondLoki\Local Settings\Application Data\Blizzard Entertainment
2009-11-19 02:04 . 2009-11-19 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-11-15 16:29 . 2009-11-15 16:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-15 16:29 . 2009-11-15 16:29 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-15 16:29 . 2009-11-15 16:29 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-15 16:29 . 2009-11-18 16:29 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-15 16:29 . 2009-11-15 16:29 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-15 16:29 . 2009-11-15 16:29 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-15 16:29 . 2009-11-15 16:29 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-15 16:29 . 2009-11-15 16:29 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-15 16:28 . 2009-11-15 16:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-15 16:28 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 23:13 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 23:13 . 2009-11-15 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 23:13 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 18:42 . 2009-11-10 18:45 -------- d-----w- C:\rsit
2009-11-09 05:46 . 2009-11-09 05:46 -------- d-----w- c:\documents and settings\DemondLoki\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-09 04:40 . 2009-11-09 04:40 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-09 04:39 . 2009-11-09 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-09 04:39 . 2009-11-09 04:39 -------- d-----w- c:\program files\NOS
2009-11-09 04:39 . 2009-09-23 22:37 34112 ----a-w- c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-09 04:39 . 2009-09-23 22:37 32448 ----a-w- c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-09 04:39 . 2009-09-23 22:37 22352 ----a-w- c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-10-30 09:24 . 2009-10-30 09:24 -------- d-----w- c:\documents and settings\DemondLoki\Local Settings\Application Data\CCP
2009-10-30 09:19 . 2007-07-20 00:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-10-30 08:29 . 2009-10-30 08:29 -------- d-----w- c:\program files\CCP
2009-10-30 08:29 . 2009-10-30 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 12:53 . 2008-10-13 16:23 12328 ----a-w- c:\documents and settings\DemondLoki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 12:48 . 2009-01-27 04:50 -------- d-----w- c:\program files\lg_fwupdate
2009-11-23 19:19 . 2009-03-26 09:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-18 03:11 . 2009-04-06 02:49 -------- d-----w- c:\documents and settings\DemondLoki\Application Data\dvdcss
2009-11-15 16:29 . 2009-05-29 15:11 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-15 16:29 . 2009-05-29 08:16 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-15 16:29 . 2009-06-19 08:16 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-10 18:42 . 2009-05-29 08:20 -------- d-----w- c:\program files\Trend Micro
2009-11-09 10:55 . 2009-01-27 04:50 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2009-11-09 04:42 . 2008-10-13 15:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-31 21:19 . 2009-01-27 04:46 -------- d-----w- c:\program files\CyberLink
2009-10-31 21:19 . 2008-10-13 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 01:06 . 2009-03-15 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-10-01 17:27 . 2009-02-06 03:58 65536 ----a-w- c:\windows\IFinst27.exe
2009-09-25 08:16 . 2009-09-25 08:16 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-25 08:16 . 2009-09-25 08:16 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-25 08:16 . 2009-09-25 08:16 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-25 08:16 . 2009-06-19 08:16 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-23 12:55 . 2009-05-29 08:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-18 788880]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-04 75048]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2009-04-17 87336]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2009-04-17 62760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\DemondLoki\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-8-7 109568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Autodesk\\Maya2009\\bin\\maya.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\threatwork.exe"=
"c:\\Program Files\\Ulitma On WOW\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Ulitma On WOW\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Ulitma On WOW\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\Ulitma On WOW\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\DemondLoki\\Desktop\\TFC.exe"=
"c:\\Documents and Settings\\DemondLoki\\Local Settings\\Apps\\2.0\\13H7NT6L.AR2\\AO2XHMRN.JAA\\curs..tion_eee711038731a406_0004.0000_10385b9745e33e88\\CurseClient.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/29/2009 2:16 AM 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/30/2009 2:16 PM 717296]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [1/26/2009 10:49 PM 16048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [1/26/2009 10:49 PM 162096]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/29/2009 2:21 AM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/29/2009 2:19 AM 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/29/2009 2:21 AM 677128]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 6:00 AM 14336]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\DEMOND~1\LOCALS~1\Temp\a0917f25.nmc\nse\bin\ndiskio.sys --> c:\docume~1\DEMOND~1\LOCALS~1\Temp\a0917f25.nmc\nse\bin\ndiskio.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:29]
.
.
------- Supplementary Scan -------
.
TCP: {4923C41A-2F84-4D07-B791-3CC18FA5F5EA} = 83.149.115.182
FF - ProfilePath - c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\
FF - prefs.js: browser.startup.homepage - hxxp://black-google.blogspot.com/
FF - plugin: c:\documents and settings\DemondLoki\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\DemondLoki\Application Data\Mozilla\Firefox\Profiles\e8mcr890.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{65942f6e-60c1-4d8d-8791-8c447497099b} - yejudogi.dll
HKCU-Run-Power2GoExpress - (no file)
HKLM-Run-guzayuzah - c:\windows\system32\gofizesa.dll
HKLM-Run-repoyupeki - dujuruto.dll
SharedTaskScheduler-{91ccd4d1-e10e-4f0e-8caf-0c0fe5fb4f5f} - c:\windows\system32\vovugesi.dll
SharedTaskScheduler-{2a5b77e8-0be1-42cb-b035-4a73f94dca40} - c:\windows\system32\lejoguja.dll
SharedTaskScheduler-{cc1eda50-e824-4ce8-9164-fdaad593a71d} - c:\windows\system32\lejoguja.dll
SharedTaskScheduler-{7183e5a8-6769-4017-8361-988fd17629de} - c:\windows\system32\lejoguja.dll
SharedTaskScheduler-{95afe0be-c328-4b2f-8a0e-b5879458be0e} - c:\windows\system32\lejoguja.dll
SharedTaskScheduler-{8a70a1d1-48af-432e-84ff-6035f0b499b0} - c:\windows\system32\gofizesa.dll
SSODL-zuvayokey-{91ccd4d1-e10e-4f0e-8caf-0c0fe5fb4f5f} - c:\windows\system32\vovugesi.dll
SSODL-rutitusij-{2a5b77e8-0be1-42cb-b035-4a73f94dca40} - c:\windows\system32\lejoguja.dll
SSODL-vekobipuf-{cc1eda50-e824-4ce8-9164-fdaad593a71d} - c:\windows\system32\lejoguja.dll
SSODL-galanifen-{7183e5a8-6769-4017-8361-988fd17629de} - c:\windows\system32\lejoguja.dll
SSODL-bepogahig-{95afe0be-c328-4b2f-8a0e-b5879458be0e} - c:\windows\system32\lejoguja.dll
SSODL-zisetayip-{8a70a1d1-48af-432e-84ff-6035f0b499b0} - c:\windows\system32\gofizesa.dll
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 14:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A1481F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba667cb8
\Driver\atapi -> 0x8a1481f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: NVIDIA nForce Networking Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xba506ba0
PacketIndicateHandler -> NDIS.sys @ 0xba513b21
SendHandler -> NDIS.sys @ 0xba4f187b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-24 14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 20:33

Pre-Run: 69,262,151,680 bytes free
Post-Run: 69,069,062,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - E0D08612527B5DB1C5087D07B794A1F5

Attached Files


Edited by Buckeye_Sam, 24 November 2009 - 05:46 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:31 AM

Posted 24 November 2009 - 05:49 PM

Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.


Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Unbelieve

Unbelieve
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 26 November 2009 - 01:51 AM

Sam,
Popups have stopped.



GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-26 00:49:24
Windows 5.1.2600 Service Pack 2
Running: b5mmu3ip.exe; Driver: C:\DOCUME~1\DEMOND~1\LOCALS~1\Temp\uwtdipow.sys


---- System - GMER 1.0.15 ----

SSDT 88C86C60 ZwCreateKey
SSDT 88C86160 ZwCreateProcess
SSDT 88C86420 ZwCreateProcessEx
SSDT 88C87AC0 ZwCreateThread
SSDT 88C871E0 ZwDeleteKey
SSDT 88C874A0 ZwDeleteValueKey
SSDT spio.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spio.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT 88C87C60 ZwLoadDriver
SSDT spio.sys ZwOpenKey [0xBA6A80C0]
SSDT 88C866E0 ZwOpenProcess
SSDT spio.sys ZwQueryKey [0xBA6C7108]
SSDT spio.sys ZwQueryValueKey [0xBA6C6F88]
SSDT 88C86F20 ZwSetValueKey
SSDT 88C869A0 ZwTerminateProcess
SSDT 88C87920 ZwWriteVirtualMemory

INT 0x73 ? 8A148BF8
INT 0x73 ? 8A148BF8
INT 0x73 ? 89E8DBF8
INT 0x73 ? 8A148BF8
INT 0xB4 ? 89E8DBF8

---- Kernel code sections - GMER 1.0.15 ----

? spio.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BA03462C 5 Bytes JMP 89E8D1D8
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spio.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spio.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spio.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spio.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spio.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A1471F8
Device \FileSystem\Udfs \UdfsCdRom 89C52500
Device \FileSystem\Udfs \UdfsCdRom CLBUDF.SYS (UDF File System Driver /CyberLink Corporation.)
Device \FileSystem\Udfs \UdfsDisk 89C52500
Device \FileSystem\Udfs \UdfsDisk CLBUDF.SYS (UDF File System Driver /CyberLink Corporation.)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbohci \Device\USBPDO-0 89F3E1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A0D91F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A0D91F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A0D91F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A0D91F8
Device \Driver\usbehci \Device\USBPDO-1 89E881F8
Device \Driver\usbohci \Device\USBPDO-2 89F3E1F8
Device \Driver\usbehci \Device\USBPDO-3 89E881F8

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1491F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1491F8
Device \Driver\Cdrom \Device\CdRom0 89E731F8
Device \Driver\atapi \Device\Ide\IdePort0 8A1481F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 8A1481F8
Device \Driver\atapi \Device\Ide\IdePort1 8A1481F8
Device \Driver\atapi \Device\Ide\IdePort2 8A1481F8
Device \Driver\atapi \Device\Ide\IdePort3 8A1481F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 8A1481F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88D2A1F8
Device \Driver\usbstor \Device\00000083 89D4E500
Device \Driver\NetBT \Device\NetbiosSmb 88D2A1F8
Device \Driver\usbstor \Device\00000087 89D4E500
Device \Driver\usbstor \Device\00000088 89D4E500

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbstor \Device\00000089 89D4E500

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbohci \Device\USBFDO-0 89F3E1F8
Device \Driver\usbehci \Device\USBFDO-1 89E881F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88D221F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4923C41A-2F84-4D07-B791-3CC18FA5F5EA} 88D2A1F8
Device \Driver\usbohci \Device\USBFDO-2 89F3E1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88D221F8
Device \Driver\usbehci \Device\USBFDO-3 89E881F8
Device \Driver\Ftdisk \Device\FtControl 8A1491F8
Device \Driver\usbstor \Device\0000008a 89D4E500
Device \FileSystem\Cdfs \Cdfs 89EB2468
Device \FileSystem\Cdfs \Cdfs CLBUDF.SYS (UDF File System Driver /CyberLink Corporation.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFE 0x4F 0x01 0x13 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xB6 0xF0 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x18 0x7A 0x16 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFE 0x4F 0x01 0x13 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xB6 0xF0 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x18 0x7A 0x16 0xA7 ...

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:31 AM

Posted 27 November 2009 - 12:07 PM

Try a Google search and see if you get redirected to a different site when you click on the results of the search.
Let me know of any other issues that you're still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Unbelieve

Unbelieve
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 29 November 2009 - 02:45 PM

nope, no more popups :( but i still cant seem to boot in safe mode.
think thats a related problem or something totally different?

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:31 AM

Posted 29 November 2009 - 08:59 PM

Download SafeBootKeyRepair.exe by sUBs and save to your desktop.
  • Double-click on it and follow the instructions.
  • When finished, see if you can access safe mode.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:31 AM

Posted 16 December 2009 - 10:21 AM

Unfortunately there has been no response. :(
This topic will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users