Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google, sites redirect problem


  • Please log in to reply
26 replies to this topic

#1 trichi

trichi

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 23 December 2009 - 05:35 PM

Hello,

I have had this problem for, I think, over 2 weeks now. When I search in google the links are redirected to something similar to hxxp://newserversearch.com/

I realise that many others are experiencing this problem, and again my Adaware, Malwarebytes, Avast! Antivirus, MS removal tool all say I'm clean. Please help, I've included my dds files in this thread, but not afk.txt as my pc crashes when I try to scan it.

Thank you!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Leon Man at 21:56:00.35 on 23/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.313 [GMT 0:00]

AV: avast! antivirus 4.8.1368 [VPS 091223-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic139.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Findbasic\findbasic.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Documents and Settings\Leon Man\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemonsearch.com/intl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\progra~1\textal~1\TAForIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\leon man\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [EPSON Stylus CX3200] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AtiPTA] atiptaxx.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\leonma~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\leonma~1\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?06042cb41a1e4a0fa45ae59cc4769d44
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?06042cb41a1e4a0fa45ae59cc4769d44
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WB - c:\program files\stardock\object desktop\thememanager\fastload.dll
AppInit_DLLs: c:\windows\system32\wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leonma~1\applic~1\mozilla\firefox\profiles\zfwb4a5e.default\
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - plugin: c:\documents and settings\leon man\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-30 114768]
R1 atitray;atitray;c:\program files\radeon omega drivers\v3.8.421\ati tray tools\atitray.sys [2005-11-13 17824]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-11-17 138680]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\system32\drivers\AWISp50.sys [2006-3-15 17664]
R2 Findbasic Service;Findbasic Service;c:\documents and settings\all users\application data\findbasic\findbasic139.exe [2009-12-23 58872]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-16 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-11-17 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-11-17 352920]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-12-23 21:18:28 0 d-----w- c:\program files\TrendMicro
2009-12-23 19:21:55 1529241 ----a-w- C:\SDFix.exe
2009-12-23 19:12:24 0 d-----w- c:\program files\Findbasic
2009-12-23 19:12:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Findbasic
2009-12-23 19:12:15 0 d-----w- c:\windows\Icons
2009-12-23 17:39:21 98816 ----a-w- c:\windows\sed.exe
2009-12-23 17:39:21 77312 ----a-w- c:\windows\MBR.exe
2009-12-23 17:39:21 261632 ----a-w- c:\windows\PEV.exe
2009-12-23 17:39:21 161792 ----a-w- c:\windows\SWREG.exe
2009-12-19 18:44:41 0 d-sh--w- c:\documents and settings\leon man\IETldCache
2009-12-19 14:24:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-19 14:24:12 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-19 14:24:08 0 d-----w- c:\windows\ie8updates
2009-12-19 14:23:41 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-19 14:22:16 0 dc-h--w- c:\windows\ie8
2009-12-17 21:25:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2009-12-17 21:10:22 0 d-----w- c:\program files\common files\Sony Shared
2009-12-17 20:57:38 0 d-----w- c:\program files\Sony
2009-12-17 17:05:57 0 d-sha-r- C:\cmdcons
2009-12-16 16:24:33 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-12-16 16:19:35 0 d-----w- c:\windows\ERUNT
2009-12-16 16:02:17 0 d-----w- C:\SDFix
2009-12-11 22:19:07 0 d-----w- c:\docume~1\leonma~1\applic~1\Malwarebytes
2009-12-11 22:18:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-11 22:18:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-11 22:18:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 22:18:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 22:00:15 132096 --sha-r- c:\windows\system32\kbdhe319Q.dll
2009-12-10 18:15:07 0 d-----w- c:\docume~1\leonma~1\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-12-10 18:14:51 0 d-----w- c:\program files\BBC iPlayer Desktop
2009-12-03 17:24:02 0 d-----w- c:\program files\common files\Macrovision Shared
2009-12-03 17:23:43 0 d-----w- c:\program files\Rosetta Stone
2009-12-03 17:23:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-12-03 15:50:57 0 d-----w- c:\windows\speech
2009-12-03 15:50:48 0 d-----w- c:\program files\TextAloud
2009-11-30 20:18:46 0 d-----w- c:\program files\common files\DirectX
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-29 18:23:57 827156 ----a-w- c:\windows\system32\sheadg.ttf
2009-11-29 18:23:45 0 d-----w- c:\program files\ReadWrite Korean
2009-11-29 18:22:04 0 d-----w- c:\program files\Korean HakGyo
2009-11-26 22:29:15 0 d-----w- c:\docume~1\leonma~1\applic~1\Quark
2009-11-26 22:24:16 0 d-----w- c:\program files\Quark
2009-11-26 22:24:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Quark

==================== Find3M ====================

2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-06-21 21:30:51 25 ----a-w- c:\program files\popcinfot.dat
2008-09-19 20:50:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 21:56:13.12 ===============

Edited by Orange Blossom, 25 December 2009 - 03:42 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 29 December 2009 - 11:20 AM

Hi there,

Sorry about the delay. If you still need help, please run the following two programs.

First, please download this tool to your Desktop, then run it:
http://jpshortstuff.247fixes.com/Kenco.exe
It will only take a few moments, please post the log it produces.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from one of the following locations and save it to your desktop.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • In the Select Scan dialog, check
    Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Please post this log in your next reply.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 December 2009 - 07:41 AM

Hello,

I've included the kenco.txt and rootrepeal.txt logs here, however I couldn't scan for "Hidden Services" using rootrepeal as my pc always crashes before the scan starts. This is what I could scan. Thank You.


Kenco by jpshortstuff (30.12.09.1)
Log created at 12:18 on 30/12/2009 (Leon Man)

========== Task Unlocker ==========

========== KencoScan ==========
C:\WINDOWS\system32\kbdhe319Q.dll -> Unlocked!
C:\WINDOWS\system32\kbdhe319Q.dll -> Infected -> Deleted successfully!
C:\WINDOWS\Tasks\Huowmror.job -> Deleted successfully!

========== C:\WINDOWS\Tasks ==========
AppleSoftwareUpdate.job -> [15:11 15/09/2008] 284 bytes
GoogleUpdateTaskUserS-1-5-21-1757981266-1647877149-839522115-1003Core1ca5a22459736ea.job -> [12:04 31/10/2009] 936 bytes
GoogleUpdateTaskUserS-1-5-21-1757981266-1647877149-839522115-1003UA.job -> [10:13 31/08/2009] 988 bytes

-=E.O.F=-





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/30 12:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: az5zzmy5.SYS
Image Path: C:\WINDOWS\System32\Drivers\az5zzmy5.SYS
Address: 0xF5A9D000 Size: 421888 File Visible: No Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xAC051000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP0790
Image Path: \Driver\PCI_NTPNP0790
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xA7CE6000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16ca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c14c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf72a2fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf72a3340

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c0f0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf72a3418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac16c8ae

==EOF==

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 30 December 2009 - 09:03 AM

Have you run ComboFix on this machine?

Please download and run this tool:
http://jpshortstuff.247fixes.com/Defogger.exe
Click Disable (make sure to only click it once). Your computer will be rebooted.

After reboot, please run RootRepeal again and try and get a "Hidden Services" scan.

How is the computer running, any more problems?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 December 2009 - 11:29 AM

Yes, I ran ComboFix on this pc before after reading hxxp://www.bleepingcomputer.com/forums/lofiversion/index.php/t178788.html, which I probably shouldn't had done. That had removed my misdirecting problem for a few days but it came back, and also my usual taskbar theme had been replaced by the classic windows theme (though I've fixed that with system restores).

I've ran defogger.exe and ran rootrepeal, but it still crashes and I can't produce the log.
Currently the redirecting problem with google seems to have disappeared! However I'm also realising that my computer starts up and loads slower than usual (say a week ago), but I don't think that has anything to do with malware(?).

Thank you

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 30 December 2009 - 11:37 AM

OK, let's try an alternative to RootRepeal. First, can you please post the ComboFix log? It should be at C:\ComboFix.txt.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe to run the program.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 31 December 2009 - 01:50 PM

I've ran Combofix twice, once when the problem initially started and another when it came back. I have the log for the 2nd run.

ComboFix 09-12-22.09 - Leon Man 23/12/2009 18:12:38.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.452 [GMT 0:00]
Running from: c:\documents and settings\Leon Man\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091223-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_THEMES
-------\Service_Themes


((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-19 18:46 . 2009-12-19 18:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-19 18:44 . 2009-12-19 18:44 -------- d-sh--w- c:\documents and settings\Leon Man\IETldCache
2009-12-19 14:24 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-19 14:24 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-19 14:24 . 2009-12-20 11:15 -------- d-----w- c:\windows\ie8updates
2009-12-19 14:23 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-19 14:22 . 2009-12-19 14:23 -------- dc-h--w- c:\windows\ie8
2009-12-17 21:25 . 2009-12-17 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-12-17 21:25 . 2009-12-17 21:25 -------- d-----w- c:\documents and settings\Leon Man\Application Data\Sony Corporation
2009-12-17 21:10 . 2009-12-17 21:10 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-12-17 20:57 . 2009-12-17 21:10 -------- d-----w- c:\program files\Sony
2009-12-16 16:24 . 2009-12-16 16:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-12-16 16:19 . 2009-12-16 16:19 -------- d-----w- c:\windows\ERUNT
2009-12-16 16:02 . 2009-12-16 16:40 -------- d-----w- C:\SDFix
2009-12-14 22:37 . 2009-12-14 22:40 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-11 22:19 . 2009-12-11 22:19 -------- d-----w- c:\documents and settings\Leon Man\Application Data\Malwarebytes
2009-12-11 22:18 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-11 22:18 . 2009-12-11 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-11 22:18 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 22:18 . 2009-12-11 22:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 22:00 . 2009-12-11 22:00 132096 --sha-r- c:\windows\system32\kbdhe319Q.dll
2009-12-10 18:15 . 2009-12-10 18:15 -------- d-----w- c:\documents and settings\Leon Man\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-12-10 18:14 . 2009-12-10 18:14 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-12-10 18:14 . 2009-12-10 18:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-03 17:29 . 2009-12-03 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-03 17:24 . 2009-12-03 17:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-03 17:23 . 2009-12-11 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-12-03 17:23 . 2009-12-03 17:23 -------- d-----w- c:\program files\Rosetta Stone
2009-12-03 15:50 . 2009-12-03 15:51 -------- d-----w- c:\windows\speech
2009-12-03 15:50 . 2009-12-21 10:45 -------- d-----w- c:\program files\TextAloud
2009-11-30 20:18 . 2009-11-30 20:18 -------- d-----w- c:\program files\Common Files\DirectX
2009-11-30 19:33 . 2009-11-30 19:33 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-29 18:23 . 2009-11-29 18:28 -------- d-----w- c:\program files\ReadWrite Korean
2009-11-29 18:22 . 2009-11-29 18:22 -------- d-----w- c:\program files\Korean HakGyo
2009-11-26 23:21 . 2009-11-29 00:33 334320 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-26 22:42 . 2009-11-26 22:42 -------- d-----w- c:\documents and settings\Leon Man\Local Settings\Application Data\Deployment
2009-11-26 22:29 . 2009-11-26 22:29 -------- d-----w- c:\documents and settings\Leon Man\Application Data\Quark
2009-11-26 22:24 . 2009-11-26 22:24 -------- d-----w- c:\program files\Quark
2009-11-26 22:24 . 2009-11-26 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Quark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 18:23 . 2009-01-19 18:26 -------- d-----w- c:\program files\DNA
2009-12-23 18:23 . 2009-01-19 18:26 -------- d-----w- c:\documents and settings\Leon Man\Application Data\DNA
2009-12-23 16:19 . 2007-11-20 11:59 -------- d-----w- c:\program files\Steam
2009-12-19 18:48 . 2007-11-19 19:43 -------- d-----w- c:\program files\World of Warcraft
2009-12-09 23:07 . 2009-04-24 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-09 21:31 . 2008-05-12 21:19 -------- d-----w- c:\documents and settings\Leon Man\Application Data\Skype
2009-12-08 15:47 . 2007-12-26 17:36 -------- d-----w- c:\program files\Xfire
2009-12-07 22:33 . 2007-12-26 17:36 -------- d-----w- c:\documents and settings\Leon Man\Application Data\Xfire
2009-12-03 19:17 . 2009-06-22 16:27 25 ----a-w- c:\windows\popcinfot.dat
2009-12-03 19:17 . 2009-06-21 21:02 -------- d-----w- c:\program files\Plants vs Zombies
2009-12-03 18:15 . 2008-01-24 21:56 -------- d-----w- c:\documents and settings\Leon Man\Application Data\uTorrent
2009-12-03 18:12 . 2008-01-27 15:41 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-26 22:30 . 2007-11-18 00:17 87504 ----a-w- c:\documents and settings\Leon Man\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 23:54 . 2007-11-17 23:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-11-17 23:52 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-11-17 23:52 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-07-30 00:23 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-07-30 00:23 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-11-17 23:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-11-17 23:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-11-17 23:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-11-17 23:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-22 12:29 . 2009-11-22 12:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-11-15 00:05 . 2008-05-12 21:23 -------- d-----w- c:\documents and settings\Leon Man\Application Data\skypePM
2009-11-05 16:03 . 2009-11-05 16:03 -------- d-----w- c:\program files\iTunes
2009-11-05 16:03 . 2009-11-05 16:03 -------- d-----w- c:\program files\iPod
2009-11-05 16:03 . 2007-11-25 00:12 -------- d-----w- c:\program files\Common Files\Apple
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-06-21 21:30 . 2009-06-21 21:30 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-20 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"Google Update"="c:\documents and settings\Leon Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-31 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"EPSON Stylus CX3200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2004-02-15 177152]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Leon Man\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-11-30 3181456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-16 809488]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2004-02-15 22:27 177152 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-11-17 11:53 171464 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
2006-08-21 00:24 2068527 ----a-w- c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-12-02 17:02 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-20 02:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ----a-w- c:\program files\Winamp\winampa.exe

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/07/2008 00:23 114768]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [13/11/2005 23:43 17824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/07/2008 00:23 20560]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\system32\drivers\AWISp50.sys [15/03/2006 16:35 17664]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [16/04/2009 21:07 10384]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [28/07/2007 14:50 517632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/11/2007 13:50 685816]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
MHN
BITS
wuauserv
ShellHWDetection
helpsvc
napagent
hkmsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?06042cb41a1e4a0fa45ae59cc4769d44
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?06042cb41a1e4a0fa45ae59cc4769d44
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Leon Man\Application Data\Mozilla\Firefox\Profiles\zfwb4a5e.default\
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - plugin: c:\documents and settings\Leon Man\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1647877149-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-1647877149-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1757981266-1647877149-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,39,65,b4,2d,80,5e,01,dd,d2,89,60,db,7d,c9,af,bf,71,c6,ca,ba,bd,93,
c9,42,a4,83,a8,94,b4,c5,24,d4,b5,3d,d1,69,bc,3b,09,75,48,48,ae,23,56,01,6f,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1757981266-1647877149-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:00,1d,30,a8,1f,ce,41,24,c0,62,a5,78,a9,4b,21,a0,b0,ec,6b,9b,f1,
f0,3b,93,2d,4e,b7,44,c3,f9,c9,2c,70,d0,ba,f7,5d,bd,15,81,eb,53,15,2a,97,dd,\
"rkeysecu"=hex:5a,0e,2a,dc,a9,c9,41,02,2f,8c,36,a7,fa,3e,27,f9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

- - - - - - - > 'explorer.exe'(4616)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_40405.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-12-23 18:32:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 18:32
ComboFix2.txt 2009-12-23 17:56
ComboFix3.txt 2009-12-17 17:19

Pre-Run: 7,127,465,984 bytes free
Post-Run: 6,978,437,120 bytes free

- - End Of File - - 4A8FECC39F0638B81503EBCA7A82E9E3



I ran gmer.exe three times, first time I got a BSoD, the 2nd and 3rd tries my computer just restarted automatically, so unfortunately I cannot provide a log for that...

Thank you

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 31 December 2009 - 02:12 PM

This is odd. I want to make sure there is no Malware involved with this. Click Start >> Run, then copy/paste this command and hit Enter:
C:\WINDOWS\mbr.exe > "%userprofile%\Desktop\mbr.log"

This will create a file on your Desktop called mbr.log, please post this log in your next reply. Please also post the contents of defogger_disable.log which should be wherever you saved Defogger.

Any other problems apart from these scanners crashing?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 31 December 2009 - 04:47 PM

Hi, I''ve done as you've told but I couldn't find a mbr.log on my desktop, and I can't find and don't remember seeing a defogger_disabled.log on desktop as well (as defogger.exe is there as well).

However I've found this log lying on my desktop of the Gmer scan, which I've performed on the 23rd dec 09 before making this thread. It worked fine back then.

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 20:56:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ed,64,bf,f0,a3,de,31,8a,30,5e,8d,dc,8f,db,68,0f,9c,da,a0,ad,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,81,52,1c,cf,6e,18,b1,54,21,d2,92,30,df,c4,84,af,c7,..
"khjeh"=hex:e9,69,f3,c8,41,11,af,b5,7a,b9,8a,3b,20,04,e4,1f,ae,b9,0b,f8,d4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,f6,f7,82,9a,e6,15,8d,b4,4a,0a,44,5d,70,a4,a2,ee,6c,26,a4,f6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ed,64,bf,f0,a3,de,31,8a,30,5e,8d,dc,8f,db,68,0f,9c,da,a0,ad,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,81,52,1c,cf,6e,18,b1,54,21,d2,92,30,df,c4,84,af,c7,..
"khjeh"=hex:e9,69,f3,c8,41,11,af,b5,7a,b9,8a,3b,20,04,e4,1f,ae,b9,0b,f8,d4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c0,06,d4,d3,4b,1c,bc,80,ce,53,bd,17,33,da,46,49,c2,02,65,0a,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ed,64,bf,f0,a3,de,31,8a,30,5e,8d,dc,8f,db,68,0f,9c,da,a0,ad,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,81,52,1c,cf,6e,18,b1,54,21,d2,92,30,df,c4,84,af,c7,..
"khjeh"=hex:e9,69,f3,c8,41,11,af,b5,7a,b9,8a,3b,20,04,e4,1f,ae,b9,0b,f8,d4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:93,f6,f7,82,9a,e6,15,8d,b4,4a,0a,44,5d,70,a4,a2,ee,6c,26,a4,f6,..

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Leon Man\Local Settings\Application Data\Mozilla\Firefox\Profiles\zfwb4a5e.default\Cache\9EC6524Dd01 17686 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Thank you for your time!

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 01 January 2010 - 07:07 AM

Hmm, did Defogger ask you to reboot when you ran it?

Click Start >> Run and copy/paste this command then hit Enter:
cmd /c copy C:\WINDOWS\mbr.exe "%userprofile%\Desktop\mbr.exe"

This should create a file on your Desktop entitled mbr.exe. Double-click this tool to run it and which should make a mbr.log on your Desktop, please post that.

Sorry about all this, I just want to make sure there isn't any foul play here, its a little suspicious that all these tools are failing.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 01 January 2010 - 07:58 AM

Hi,
I don't remember if it asked me to reboot, I think so, but there's also a "defogger_reenable" file in C:\Documents and Settings\Leon Man..


the mbr.exe works now, here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Sorry about all this, I just want to make sure there isn't any foul play here, its a little suspicious that all these tools are failing.

Thank you for your time and sorry for the hassle, happy new year =)

#12 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 01 January 2010 - 10:12 AM

MBR log is fine, can you attach the defogger_reenable file in your next post?

Basically, the drivers the Daemon Tools uses for CD Emulation use Rootkit like behaviour. Unfortunately, they also sometimes cause GMER and other AntiRootkit scans to crash, which is a big pain in the backside. Defogger is a tool that disables these drivers to allow our scans to work properly, but it looks like it may not have worked here.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#13 trichi

trichi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 01 January 2010 - 03:44 PM

Oh I see, and it seems that I can't attach the file to the post. When trying to attach I got the following message: "You are not permitted to upload this type of file".

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 01 January 2010 - 03:50 PM

Bleh, OK, just chuck in my submission channel:
http://www.bleepingcomputer.com/submit-mal....php?channel=72
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#15 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:48 AM

Posted 01 January 2010 - 05:20 PM

Hmm, that was fine.

OK, one more thing to try. Reboot into safe mode (tap F8 just before Windows loads) and try running GMER or RootRepeal (Hidden Services) from there.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users