Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 bcpoitra

bcpoitra

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 December 2009 - 10:37 PM

Hello,
I am working on a Dell PC that was deeply infected with trojans and other malware. I have resolved everything so far with the exception of an internet redirect that is eluding me. Every link clicked in Google or other search engines gets redirected to a totally random website.

To this point I have run the following cleaners that have killed other infections but the redirect continues:

Malwarebytes Anti-Malware
AVG Anti-Virus
Super Anti-Spyware
Micro Trends CW Shredder
Micro Trends House Call
CCleaner

I ran Hijack This and the log is as follows:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:33:47 PM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesYahoo!SoftwareUpdateYahooAUService.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesTrendMicroHiJackThisHiJackThis.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesMSNToolbar3.0.0988.2msntask.exe
C:Program FilesHPSmart Web Printinghpswp_clipbook.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://msn.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext =
http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} -
C:Program FilesHPSmart Web Printinghpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:Program
FilesHPSmart Web Printinghpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -
{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program
FilesRealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG9avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
- C:Program FilesJavajre6binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6}
- C:Program FilesCommon FilesMicrosoft SharedWindows
LiveWindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
- C:Program FilesGoogleGoogleToolbarNotifier5.4.4525.1752swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
C:Program FilesMSNToolbar3.0.0988.2msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program
FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} -
C:Program FilesMSNToolbar3.0.0988.2msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [AVG9_TRAY] C:PROGRA~1AVGAVG9avgtray.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe"
-atboottime
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [MySpaceIM] C:Program
FilesMySpaceIMMySpaceIM.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [MySpaceIM] C:Program
FilesMySpaceIMMySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:Program
FilesGoogleGoogle
ToolbarComponentGoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} -
C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} -
C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork
Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5
Control) -
http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:Program FilesAVGAVG9avgpp.dll
O20 - AppInit_DLLs: fepuwejo.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program
FilesSUPERAntiSpywareSASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader -
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. -
C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program
FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon
FilesLightScribeLSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:Program FilesCommon
FilesLogiShrdLVCOMSERLVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:Program
FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:Program FilesCommon
FilesAheadLibNMIndexingService.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:Program
FilesYahoo!SoftwareUpdateYahooAUService.exe

--
End of file - 7788 bytes



Any help would be greatly appreciated. I don't want to have to wipe it clean and re-install, but I am out of idea.

Thanks,
BC

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Hello
I was referred from the - Am I Infected forum - after posting a GMER log there.
I believe my computer is infected with a rootkit that is redirecting search results in IE.
I am running Windows XP
I have run AVG, Spybot, MalwareBytes, SuperAntiSpyware, Blacklight, and the GMER scan which had some references to a rootkit.
Also, I cannot access Safemode - I get the blue screen every time.

The following is the DDS log that the previous forum said to provide.
I have attached the Attach.txt file as well in case you need it.
Thanks for your help, this one has been frustrating to say the least.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Morris at 19:14:41.60 on Thu 12/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1209 [GMT -9:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32HPZipm12.exe
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:WINDOWSehomeRMSvc.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesYahoo!SoftwareUpdateYahooAUService.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:WINDOWSstsystra.exe
C:Program FilesDellMedia ExperienceDMXLauncher.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMicrosoft Office 2007Office12GrooveMonitor.exe
C:Program FilesCyberLinkPCM4EverioEverioService.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSeHomeehmsas.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceisuspm.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:WINDOWSehomeRMSysTry.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesiPodbiniPodService.exe
C:PROGRA~1Yahoo!MESSEN~1ymsgr_tray.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32SearchProtocolHost.exe
C:Documents and SettingsMorrisLocal SettingsTemporary Internet FilesContent.IE5BF3E5N3Pdds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:progra~1yahoo!companioninstallscpn2yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:program filesyahoo!commonyiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft office 2007office12GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.4.4525.1752swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:program filesgooglechrome frameapplication4.0.255.0npchrome_tab.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:progra~1yahoo!companioninstallscpn2YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpn2yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:program filesveoh networksveohpluginsregVeohToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [fsm]
uRun: [<NO NAME>]
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [Google Update] "c:documents and settingsmorrislocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:progra~1yahoo!messen~1YAHOOM~1.EXE" -quiet
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceisuspm.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [DMXLauncher] c:program filesdellmedia experienceDMXLauncher.exe
mRun: [ISUSPM Startup] "c:program filescommon filesinstallshieldupdateserviceisuspm.exe" -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [MSKDetectorExe] c:program filesmcafeespamkillerMSKDetct.exe /uninstall
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared9.0sharedcomRoxWatchTray9.exe"
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:program filesmicrosoft office 2007office12GrooveMonitor.exe"
mRun: [Easy Dock]
mRun: [googletalk] c:program filesgooglegoogle talkgoogletalk.exe /autostart
mRun: [EverioService] "c:program filescyberlinkpcm4everioEverioService.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
dRun: [swg] c:program filesgooglegoogletoolbarnotifier1.2.1128.5462GoogleToolbarNotifier.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupextend~1.lnk - c:windowsehomeRMSysTry.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
IE: &Search
IE: &Yahoo! Search
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:program filesyahoo!messengerYahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1mi69df~1office12ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:program filesyahoo!commonyiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1mi69df~1office12REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonyinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170478668953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:program fileshphpcoretechcomphpuiprot.dll
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:program filesgooglechrome frameapplication4.0.255.0npchrome_tab.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft office 2007office12GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft office 2007office12GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2009-12-1 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2008-6-19 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2006-12-4 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:windowssystem32driversavgtdix.sys [2008-6-19 108552]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-11-23 74480]
R2 aawservice;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareaawservice.exe [2008-9-10 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2008-7-3 908056]
R2 avg8wd;AVG8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2008-7-3 297752]
R2 fssfltr;FssFltr;c:windowssystem32driversfssfltr_tdi.sys [2009-4-15 55152]
R2 McrdSvc;Media Center Extender Service;c:windowsehomeMcrdSvc.exe [2005-10-20 96256]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2009-9-26 133104]
S3 fsssvc;Windows Live Family Safety;c:program fileswindows livefamily safetyfsssvc.exe [2009-2-6 533360]
S3 npggsvc;nProtect GameGuard Service;c:windowssystem32gamemon.des -service --> c:windowssystem32GameMon.des -service [?]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-10 06:59:26 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-12-10 06:59:11 0 d-----w- c:program filesSUPERAntiSpyware
2009-12-10 06:59:11 0 d-----w- c:docume~1morrisapplic~1SUPERAntiSpyware.com
2009-12-09 08:09:49 0 d-----w- C:d8ea551305f160ac18
2009-12-09 06:30:26 1147911 ----a-w- C:stinger3.exe
2009-12-04 07:12:44 0 d-----w- c:docume~1morrisapplic~1TestOut Corporation
2009-12-02 08:02:58 0 d-----w- c:windowspss
2009-12-02 06:54:46 28552 ----a-w- c:windowssystem32driverspavboot.sys
2009-12-02 06:54:36 0 d-----w- c:program filesPanda Security
2009-11-18 03:55:21 0 d-----w- c:program filesiPod
2009-11-18 03:55:17 0 d-----w- c:program filesiTunes

==================== Find3M ====================

2009-11-11 03:03:44 63 ----a-w- c:documents and settingsmorrisjagex_runescape_preferences2.dat
2009-11-11 03:03:06 38 ----a-w- c:documents and settingsmorrisjagex_runescape_preferences.dat
2009-10-28 14:40:47 173056 ----a-w- c:windowssystem32dllcacheie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:windowssystem32dllcachestrmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:windowssystem32dllcachehttpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:windowssystem32drivershttp.sys
2009-10-20 16:20:16 265728 ------w- c:windowssystem32dllcachehttp.sys
2009-10-13 10:30:16 270336 ----a-w- c:windowssystem32oakley.dll
2009-10-13 10:30:16 270336 ------w- c:windowssystem32dllcacheoakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:38:19 149504 ------w- c:windowssystem32dllcacherastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:windowssystem32raschap.dll
2009-10-12 13:38:18 79872 ------w- c:windowssystem32dllcacheraschap.dll
2009-09-19 09:19:32 72396 ---ha-w- c:windowssystem32mlfcache.dat
2009-08-23 08:49:20 18968 ----a-w- c:program filescommon filesutyhefimog.scr
2009-08-23 08:49:20 18385 ----a-w- c:program filescommon filescubyjoguwo.bat
2009-08-23 08:49:20 12024 ----a-w- c:program filescommon filesjuxuf.dl
2007-03-06 04:34:31 88 --sh--r- c:windowssystem321DBCA625C1.sys

============= FINISH: 19:17:15.46 ===============

Sorry - forgot to include the RootRepeal log :(
Here it is:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 19:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: ruutrpl.sys
Image Path: C:WINDOWSsystem32driversruutrpl.sys
Address: 0xB0265000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: c:documents and settingsmorrislocal settingstemp~df1f25.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:documents and settingsmorrislocal settingstemp~df4f4c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:documents and settingsmorrislocal settingstemp~df7a69.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: c:documents and settingsmorrislocal settingstemp~dfbe87.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:documents and settingsmorrislocal settingsapplication datamicrosoftinternet explorerrecoveryactiverecoverystore.{99bb33a0-e60a-11de-ac68-001372d09dda}.dat
Status: Size mismatch (API: 6656, Raw: 7168)

Path: C:Documents and SettingsMorrisLocal SettingsApplication DataMicrosoftInternet ExplorerRecoveryActive{36F3407D-E611-11DE-AC68-001372D09DDA}.dat
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingsMorrisLocal SettingsApps2.0RTV2NTOQ.J1TC3WJHEQK.W5Tmanifestsclickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:Documents and SettingsMorrisLocal SettingsApps2.0RTV2NTOQ.J1TC3WJHEQK.W5Tmanifestsclickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==

Merged posts. ~ OB

My MBAM log is as follows:

Malwarebytes' Anti-Malware 1.42
Database version: 3344
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/10/2009 9:44:34 PM
mbam-log-2009-12-10 (21-44-34).txt

Scan type: Full Scan (C:|)
Objects scanned: 185671
Time elapsed: 49 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 11 December 2009 - 08:12 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 22 December 2009 - 02:04 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 27 December 2009 - 12:22 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users