Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Rediect Malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 Cajunjambaliya

Cajunjambaliya

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 05 December 2009 - 03:32 AM

Good day,

I have a bit of a problem and from I have found, it is a common one. All my search engines appear to be hijacked and is causing links to known sites to be redirected to non-related sites. To date, I have scan my computer with:Spy bot search and destroy, malwarebytes, clean this, registry edit, crap cleaner, Mcafee Antivirus 2009, and a host of others in safe mode and didn't find anything.

This started a few weeks back when i was trying to view a movie sent to me by a mate and it said i needed a codec for it. A Microsoft pop up occurred and I installed it. The update was saved on my desktop to scan and nothing was found. I installed the update and exe file disappeared. My anti virus didn't pick up anything but Malwarebytes picked up password.stealer and removed it. Since this time, my computer has had the search engine redirects with IE and Firefox. Also, my "cardspace" stopped working as did ATI catalyst Command Center.

I looked at the Host file in ETC and it showed normal. I am really at wits in with this and I really don't want to re-format the hard drive so this is my last resort. Any help would be most appreciated in this matter.

NOTE: Rootrepeal crashed 3 times before I gave up. This is all I could get.

Hijack this log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:35, on 5/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kevin\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.ap.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://vdi.wilsongroupau.com/downloads/VMware-vdmclient.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Kevin\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10965 bytes

Attached Files


Edited by Cajunjambaliya, 05 December 2009 - 11:05 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 18 December 2009 - 03:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Cajunjambaliya

Cajunjambaliya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 23 December 2009 - 03:59 AM

Hi and I apologize for not catching your reply sooner. I honestly didn't think I was going to get one. Here is the log you requested. An update on the situation is as follows:

When I do any search with a search engine, the search turns out fine. That is until I click on the sublink within the search. Then, I get re-directed to other sites and it something tries to download an malware antivirus and fact infections and I get the usual "your computer is infected, please download our good natured software". I taskbar and close the entire browser then. I can right click and open in a new tab and it works without a problem.

Thus fair, I have kept the infections from taking over completly so to speak with: Superantispyware, ATF, Malwarebytes, Crapcleaner, "clean my register", and the list goes on. everyday, I seem to have an infection of some sort. I have had rogue_installer, trojan downloader, Hiloti.gen installing into my Temp folder in windows, assorted malware detections. It seems to be installing when I use my browser.

I have tried another link that spyware doctor tech suggested on their website. It was a proxy server and it seemed to have stopped the re-directs as long as I was in this "bubble". Whatever this bug is, it is nasty and it is doing a great job hiding from all the programs that I have downloaded or purchased to find it. The anti-virus seems to be detecting the syptoms and blocking it. It hasn't stopped the actual infection and nothing as to date. ANY help would be much appreciated. It is hard finding tech's that will look at this problem. The answer I get it, just reinstall and thats all well and good but that would be the last resort. So this is my pleading for help. :-)

Attached Files

  • Attached File  DDS.txt   20.48KB   5 downloads


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:00 AM

Posted 23 December 2009 - 01:49 PM

Hello, Cajunjambaliya
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Cajunjambaliya

Cajunjambaliya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 23 December 2009 - 09:20 PM

G'Day Tom,

It took five trys but I was able to get the log in safemode. The computer kept giving me the "blue screen of death" and rebooting each time I scanned. Please find the pasted log as requested. Thanks again for your time and I really do appreciate it.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-24 13:15:09
Windows 6.0.6002 Service Pack 2
Running: nt57bb56.exe; Driver: C:\Users\Kevin\AppData\Local\Temp\aglcqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x83017CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x83017ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x83017984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x830180D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 826C294C 8 Bytes [DE, 7C, 01, 83, D0, 7E, 01, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 826C2D64 4 Bytes [84, 79, 01, 83]
.text ntkrnlpa.exe!KeSetEvent + 6E5 826C2E28 4 Bytes [D8, 80, 01, 83]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[620] ole32.dll!CoCreateInstance 76399EA6 5 Bytes JMP 009E000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A3A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [749EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A18395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [749EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A6CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74A0C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [749E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce74b39
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0023f11a0274 0xCD 0x91 0xB9 0x73 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0012562d2dd8 0x37 0x84 0xD0 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0012ee066a3b 0xCC 0xF7 0x90 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce74b39 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0023f11a0274 0xCD 0x91 0xB9 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0012562d2dd8 0x37 0x84 0xD0 0x92 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4ce74b39@0012ee066a3b 0xCC 0xF7 0x90 0x9A ...

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:00 AM

Posted 26 December 2009 - 03:21 AM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Cajunjambaliya

Cajunjambaliya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 26 December 2009 - 03:03 PM

G'Day Tom,

I have completed the instructed task and have attached the log from Combofix as instructed. The program worked without an issue.

Thanks again,

Kevin





ComboFix 09-12-25.05 - Kevin 27/12/2009 6:43.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3325.2160 [GMT 11:00]
Running from: c:\users\Kevin\Desktop\schrauber.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 19:53 . 2009-12-26 19:54 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2009-12-26 19:53 . 2009-12-26 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-23 08:44 . 2009-12-26 02:25 -------- d-----w- c:\users\Kevin\AppData\Local\Adobe
2009-12-23 02:48 . 2009-12-23 02:48 52224 ----a-w- c:\users\Kevin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-22 18:22 . 2009-12-23 02:48 117760 ----a-w- c:\users\Kevin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 04:37 . 2007-03-01 00:32 6600 ----a-w- c:\windows\hpomdl18.dat
2009-12-16 07:01 . 2009-12-11 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\CCERASER.DLL
2009-12-16 07:01 . 2009-11-15 23:18 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\naveng.sys
2009-12-16 07:01 . 2009-11-15 23:18 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\eeCtrl.sys
2009-12-16 07:01 . 2009-11-15 23:18 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\ecmsvr32.dll
2009-12-16 07:01 . 2009-11-15 23:18 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\naveng32.dll
2009-12-16 07:01 . 2009-11-15 23:18 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\navex32a.dll
2009-12-16 07:01 . 2009-11-15 23:18 1323568 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\navex15.sys
2009-12-16 07:01 . 2009-11-15 23:18 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20091215.004\ERASER.sys
2009-12-14 21:36 . 2009-10-30 00:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-14 21:36 . 2009-10-30 00:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-14 21:36 . 2009-11-09 00:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-14 21:36 . 2009-10-06 05:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-14 21:36 . 2009-09-02 22:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-14 21:36 . 2009-12-23 21:50 -------- d-----w- c:\program files\Spyware Doctor
2009-12-14 21:36 . 2009-12-14 21:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-14 21:36 . 2009-12-14 21:36 -------- d-----w- c:\users\Kevin\AppData\Roaming\PC Tools
2009-12-14 21:36 . 2009-12-14 21:36 -------- d-----w- c:\programdata\PC Tools
2009-12-11 09:37 . 2009-12-11 09:37 536576 ----a-w- c:\windows\system32\crash_report.dll
2009-12-11 06:28 . 2006-12-22 02:51 771672 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.exe
2009-12-11 06:28 . 2006-12-22 02:47 472664 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2009-12-11 06:28 . 2006-09-29 17:09 534528 ------w- c:\programdata\HP\Installer\Temp\dpinst_x32\dpinst.exe
2009-12-11 05:54 . 2009-12-11 05:54 -------- d-----w- c:\users\Kevin\AppData\Roaming\Printer Info Cache
2009-12-11 05:54 . 2009-12-11 06:45 -------- d-----w- c:\users\Kevin\AppData\Roaming\Image Zone Express
2009-12-09 22:20 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 22:20 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:20 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 07:48 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 06:10 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 22:05 . 2009-12-23 07:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-08 22:04 . 2009-11-15 23:18 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
2009-12-08 22:04 . 2009-11-15 23:18 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
2009-12-08 22:04 . 2009-11-15 23:18 2747952 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
2009-12-08 22:04 . 2009-11-15 23:18 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
2009-12-08 22:04 . 2009-11-15 23:18 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
2009-12-08 22:04 . 2009-11-15 23:18 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
2009-12-08 22:04 . 2009-11-15 23:18 1323568 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
2009-12-08 22:04 . 2009-11-15 23:18 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
2009-12-08 21:55 . 2009-12-08 22:04 -------- d-----w- c:\programdata\Symantec
2009-12-08 21:55 . 2009-12-08 21:55 -------- d-----w- c:\programdata\Norton
2009-12-08 21:55 . 2009-12-08 21:55 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-08 21:55 . 2009-12-08 21:55 -------- d-----w- c:\program files\Norton Security Scan
2009-12-08 21:55 . 2009-12-08 21:55 -------- d-----w- c:\programdata\NortonInstaller
2009-12-08 21:55 . 2009-12-08 21:55 -------- d-----w- c:\program files\NortonInstaller
2009-12-05 03:05 . 2009-12-05 03:05 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 02:58 . 2009-12-05 02:58 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-05 02:28 . 2009-12-05 02:28 -------- d-----w- c:\users\Kevin\AppData\Roaming\Smart PC Solutions
2009-12-05 02:28 . 2009-12-05 02:28 -------- d-----w- c:\program files\Smart PC Solutions
2009-12-04 23:47 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-12-04 22:46 . 2009-09-30 01:11 288096 ----a-r- c:\users\Kevin\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-04 22:45 . 2009-12-04 22:45 -------- d-----w- c:\users\Kevin\AppData\Roaming\McAfee
2009-12-04 21:45 . 2009-12-05 23:14 -------- d-----w- c:\program files\MYFIP.A Removal Tool
2009-12-04 16:00 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-04 10:52 . 2009-11-02 09:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 09:13 . 2009-12-04 09:13 -------- d-----w- c:\program files\Sophos
2009-12-04 09:13 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-12-04 09:13 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-12-03 08:11 . 2009-12-03 17:39 -------- d-----w- c:\program files\TheStubware
2009-12-01 08:14 . 2009-12-01 08:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-01 08:14 . 2009-12-22 18:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 08:14 . 2009-12-01 08:14 -------- d-----w- c:\users\Kevin\AppData\Roaming\SUPERAntiSpyware.com
2009-12-01 08:03 . 2009-12-01 08:03 -------- d-----w- C:\fixwareout
2009-12-01 03:39 . 2009-12-03 10:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-01 03:39 . 2009-12-01 03:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-01 01:46 . 2009-12-04 08:46 -------- d-----w- c:\users\Kevin\AppData\Local\Temp(101)
2009-11-30 07:55 . 2009-11-30 07:55 -------- d-----w- c:\users\Kevin\AppData\Local\World in Conflict
2009-11-30 07:24 . 2009-11-30 07:24 -------- d-----w- c:\program files\Sierra Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 10:38 . 2009-08-27 12:23 5017 ----a-w- c:\windows\bthservsdp.dat
2009-12-26 10:38 . 2009-10-23 03:56 -------- d-----w- c:\users\Kevin\AppData\Roaming\Orbit
2009-12-26 05:13 . 2009-08-19 05:36 -------- d-----w- c:\users\Kevin\AppData\Roaming\uTorrent
2009-12-26 05:04 . 2009-09-25 02:10 -------- d-----w- c:\users\Kevin\AppData\Roaming\Free Download Manager
2009-12-26 02:20 . 2009-08-27 07:47 -------- d-----w- c:\programdata\HP
2009-12-25 22:27 . 2009-08-27 00:13 -------- d-----w- c:\program files\Google
2009-12-24 02:05 . 2009-08-19 00:40 680 ----a-w- c:\users\Kevin\AppData\Local\d3d9caps.dat
2009-12-22 20:58 . 2009-09-29 01:19 -------- d-----w- c:\program files\YouTube Downloader
2009-12-22 18:20 . 2009-09-14 01:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-19 08:22 . 2009-08-19 02:15 -------- d-----w- c:\programdata\Microsoft Help
2009-12-18 04:46 . 2009-08-27 07:49 130834 ----a-w- c:\windows\hpoins18.dat
2009-12-11 05:53 . 2009-09-19 12:53 -------- d-----w- c:\users\Kevin\AppData\Roaming\HpUpdate
2009-12-08 08:57 . 2009-08-21 01:16 -------- d-----w- c:\program files\DivX
2009-12-08 08:56 . 2009-08-21 01:16 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-07 18:28 . 2009-08-22 02:04 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 03:06 . 2009-09-15 07:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 02:58 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-05 02:48 . 2009-12-05 02:48 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-05 02:48 . 2009-12-05 02:48 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-04 22:44 . 2009-08-19 02:09 -------- d-----w- c:\program files\McAfee
2009-12-04 22:44 . 2009-08-19 02:08 -------- d-----w- c:\programdata\McAfee
2009-12-04 09:01 . 2009-08-19 00:40 116944 ----a-w- c:\users\Kevin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-04 08:53 . 2009-09-13 23:48 -------- d-----w- c:\users\Kevin\AppData\Roaming\streamripper
2009-12-04 08:53 . 2009-09-13 23:45 -------- d-----w- c:\users\Kevin\AppData\Roaming\Winamp
2009-12-04 08:53 . 2009-09-29 01:16 -------- d-----w- c:\users\Kevin\AppData\Roaming\InstallShield Installation Information
2009-12-03 05:14 . 2009-09-15 07:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13 . 2009-09-15 07:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 07:24 . 2009-08-19 00:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 10:30 . 2009-08-20 03:10 -------- d-----w- c:\program files\Windows Live
2009-11-26 05:47 . 2009-11-26 05:47 -------- d-----w- c:\program files\Nikon
2009-11-26 05:47 . 2009-11-26 05:47 -------- d-----w- c:\program files\Common Files\Nikon
2009-11-21 06:40 . 2009-12-09 07:50 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 07:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 07:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 07:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 01:12 . 2009-08-19 02:29 -------- d-----w- c:\programdata\Roxio
2009-11-17 06:40 . 2009-11-17 06:40 -------- d-----w- c:\program files\AMP Font Viewer
2009-11-14 00:49 . 2009-09-13 23:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-13 00:46 . 2009-11-13 00:46 -------- d-----w- c:\program files\EA GAMES
2009-11-03 01:37 . 2009-11-03 01:37 -------- d-----w- c:\program files\LucasArts
2009-10-13 22:38 . 2009-10-13 22:38 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbC93C.tmp.exe
2009-10-08 21:08 . 2009-12-04 23:47 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-12-04 23:47 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-12-04 23:47 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02 . 2009-12-04 23:47 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-12-04 23:47 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-12-04 23:47 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-12-04 23:47 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-12-04 23:47 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-12-04 23:47 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-12-04 23:47 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-12-04 23:47 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-12-04 23:47 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-12-04 23:47 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-12-04 23:47 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-12-04 23:47 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-12-04 23:47 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-12-04 23:47 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-12-04 23:47 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-29 02:14 . 2009-09-29 01:16 535552 ----a-w- c:\users\Kevin\AppData\Roaming\InstallShield Installation Information\{622A4476-3AE1-43E7-A67C-9BCBCB6D5A39}\ISSetup.dll
2009-09-29 02:14 . 2009-09-29 01:16 148416 ----a-w- c:\users\Kevin\AppData\Roaming\InstallShield Installation Information\{622A4476-3AE1-43E7-A67C-9BCBCB6D5A39}\_setup.dll
2009-09-29 02:14 . 2009-09-29 01:16 372736 ----a-w- c:\users\Kevin\AppData\Roaming\InstallShield Installation Information\{622A4476-3AE1-43E7-A67C-9BCBCB6D5A39}\setup.exe
2009-09-29 02:03 . 2009-09-29 02:03 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-12-14 244208]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-26 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-05-06 405504]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"crash_report"= {495FE683-6249-4A05-8D1A-8F7CD8DF5A6D} - c:\windows\system32\crash_report.dll [2009-12-11 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 03:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Kevin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 11:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 02:30 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 07:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-11 07:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:e5,55,d9,bb,04,41,ca,01

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [15/12/2009 08:36 207792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/08/2009 11:13 133104]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [14/12/2007 15:25 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [14/12/2007 15:25 166384]
S2 SessionLauncher;SessionLauncher;c:\users\Kevin\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\Kevin\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 13:23 21504]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [14/12/2007 15:25 1112560]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/12/2009 08:36 359624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://theage.com.au/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\lqrbs0vu.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-UpdReg - c:\windows\UpdReg.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 06:53
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x85D7A618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x833abd24
\Driver\ACPI -> acpi.sys @ 0x806c9d68
\Driver\atapi -> ataport.SYS @ 0x807d8a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-27 06:57:45
ComboFix-quarantined-files.txt 2009-12-26 19:57
ComboFix2.txt 2009-12-01 01:46

Pre-Run: 304,081,690,624 bytes free
Post-Run: 304,627,027,968 bytes free

- - End Of File - - 759661981E0B84FF138D9B56C38C960B

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:00 AM

Posted 27 December 2009 - 07:00 AM

Hi,

How is your system running right now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Cajunjambaliya

Cajunjambaliya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 27 December 2009 - 07:07 AM

Hi Tom,

No, the redirects are still occuring and I have no use of a search facility now and I am thinking that the infection has become to nested. It is blocking access to Bleeping Computers and preventing my antivirus from running. I have to use a proxy to get anywere.

I may have to bite the bullet and reinstall Vista and software again. While I had my antivirus turned off, a rogue antivirus installed without me approving it or knowing it was there. I suspect that it has changed my permissions and is having free run of the computer.

The only question with this is that, when I re install Vista onto my PC, will it get rid of the virus or do I have format my hardrive and install?

Thanks for your time looking into this and I do appreciate your work. I will just have to try to prevent this from happening again..

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:00 AM

Posted 27 December 2009 - 07:14 AM

Hi,

You're welcome :(.

You have to reformat the harddrives, then you can be 100% sure to have a clean and fast system.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Cajunjambaliya

Cajunjambaliya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 27 December 2009 - 07:30 AM

I will do that and thanks again for your help. Sometimes it is easier to re install Vista and get a new system. The way Vista is these days, it is almost a sure bet you will have to install it again each year. :(

Cheers,

Kev

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:00 AM

Posted 27 December 2009 - 08:06 AM

You're welcome :(

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users