Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting after a big fight with Trojans and the like


  • This topic is locked This topic is locked
31 replies to this topic

#1 PapaLongLegs

PapaLongLegs

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 01 January 2010 - 03:15 PM

Hi!

My story's a long one

It all started a couple of weeks ago when my antivirus (AVG at the time) kept popping up with trojans, about once every couple of days. Id sent them into quarantine and/or delete them and think nothing of it. Until christmas day, when one popped up (in AVG) and windows security centre opened up on its own and froze. I restarted my computer only to be confronted with a Blue screen! I tried safe mode and normal mode, both of which came up with blue screens. So I went through the boot list to find a working option and there was one! Debugging mode.

I have no idea why debugging mode was the only one that worked but it did. From this lucky break I managed to install Windows recovery and by going through each .bak file (with the repair files) I found which one was the problem, system.bak. I kept my original SAM, SECURITY, SOFTWARE and DEFAULT. But replaced system.bak with the repair one. It worked on normal mode, no blue screen. Then I did an AVG scan and found 2 VUNDO trojan files, deleted them then scanned again. They turned up a second time so I did a google search on AVG. I found a new Anti-virus called Anti-Vir and used that.

Anti-Vir found a ton of infected files and removed them, upon rescanning they werent found again so I was farely confident. However a bit paranoid because of AVG's failure, I downloaded MalwareBytes anti-malware and ran that, only to find even more seriously infected files! So I went a bit nuts and tried every free AV I could find, each of which found at least one or two infected files. So now I think I am finally free of infection, however. I start to use google like normal but find myself being redirected on a lot of links. I end up going through loads of strange websites when Im trying to get to trusted ones like wikipedia.

Sometimes I click on a search result and it'll take me to ask.com and search it again. Sometimes it'll take me to a fake anti-virus website. Very frustrating! I tried this with Google Chrome and Firefox. Both had this problem (although firefoxes open in a new tab).

Anywho here are my DDS and rootrepeal logs, I hope you can help me, I would really appreciate it!

I am running windows xp sp2- my current AV software is Anti-vir, ad-aware, spybot and Malwarebytes. I also downloaded the Comodo firewall.

Thanks in advance for any reply! Oh and happy new year everyone!




DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 18:56:56.76 on 01/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.758 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.0 [VPS 000000-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:Program FilesComodoCOMODO Internet Securitycmdagent.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
C:WINDOWSsystem32Ati2evxx.exe
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir Desktopsched.exe
C:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesQuickTimeQTTask.exe
C:WINDOWSsystem32WTMKM.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesComodoCOMODO Internet Securitycfp.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCreativeMediaSourceDetectorCTDetect.exe
C:Program FilesCreativeSync Manager UnicodeCTSyncU.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesUSB TVEM28XXBDARemote.exe
C:Program FilesRALINKCommonRaUI.exe
C:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:WINDOWSsystem32msiexec.exe
C:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsUserDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL =
uDefault_Page_URL = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
mDefault_Page_URL = www.spotonuk.com
mSearch Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [CTFMON.EXE] c:windowssystem32ctfmon.exe
uRun: [msnmsgr] "c:program fileswindows livemessengerMsnMsgr.Exe" /background
uRun: [Creative Detector] "c:program filescreativemediasourcedetectorCTDetect.exe" /R
uRun: [igndlm.exe] c:program filesigndownload managerDLM.exe /windowsstart /startifwork
uRun: [Steam]
uRun: [CTSyncU.exe] "c:program filescreativesync manager unicodeCTSyncU.exe"
uRun: [DAEMON Tools] "c:program filesdaemon toolsdaemon.exe" -lang 1033
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesnerolibNMBgMonitor.exe"
uRun: [AlcoholAutomount] "c:program filesalcohol softalcohol 120axcmd.exe" /automount
uRun: [EPSON Stylus DX4000 Series] c:windowssystem32spooldriversw32x863e_fatibee.exe /fu "c:windowstempE_SC6.tmp" /EF "HKCU"
uRun: [Google Update] "c:documents and settingsuserlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [RemoteControl] "c:program filescyberlinkpowerdvdPDVDServ.exe"
mRun: [Windows Media Connect 2] "c:program fileswindows media connect 2WMCCFG.exe" /StartQuiet
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [NeroFilterCheck] c:program filescommon filesnerolibNeroCheck.exe
mRun: [NBKeyScan] "c:program filesneronero8nero backitupNBKeyScan.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [MacrokeyManager] WTMKM.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [avgnt] "c:program filesaviraantivir desktopavgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [COMODO Internet Security] "c:program filescomodocomodo internet securitycfp.exe" -h
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
dRun: [ddsysmns] c:windowssystem32smcrsmm.exe
dRun: [ncsmmlg] c:windowssystem32acsbvcc.exe
dRun: [mvcupdate] c:windowssystem32cmdupdlms.exe
StartupFolder: c:docume~1userstartm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupbdarem~1.lnk - c:program filesusb tvem28xxBDARemote.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupralink~1.lnk - c:program filesralinkcommonRaUI.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Open with &ZipScan - c:progra~1zipsca~1zs_ie.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:program filesaimaim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145384821203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:windowssystem32guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
mASetup: {969B3B70-8765-11D5-9809-0050BACBF861} - rundll32.exe advpack.dll,LaunchINFSection c:program filescyberlinkmp3powerencoderCyber.inf,PerUserStub

================= FIREFOX ===================

FF - ProfilePath - c:docume~1userapplic~1mozillafirefoxprofiles0gx9lvdp.default
FF - prefs.js: browser.search.selectedEngine - Amazon.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:documents and settingsuserapplication datamozillafirefoxprofiles0gx9lvdp.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}componentsfrozen.dll
FF - plugin: c:documents and settingsall usersapplication dataid softwarequakelivenpquakezero.dll
FF - plugin: c:documents and settingsall usersapplication datanexoneungmnpNxGameeu.dll
FF - plugin: c:documents and settingsuserapplication datamozillafirefoxprofiles0gx9lvdp.defaultextensionsbattlefieldheroespatcher@ea.complatformwinnt_x86-msvcpluginsnpBFHUpdater.dll
FF - plugin: c:documents and settingsuserlocal settingsapplication datagoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesigndownload managernpfpdlm.dll
FF - plugin: c:program filesk-lite codec packrealbrowserpluginsnppl3260.dll
FF - plugin: c:program filesk-lite codec packrealbrowserpluginsnprpjplug.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpPandoWebInst.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpvideoegg-loader.dll
FF - plugin: c:program filesvideoeggloader2663npvideoegg-loader.dll
FF - HiddenExtension: Internal security: No Registry Reference - c:program filesmozilla firefoxextensions{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:program filesaviraantivir desktopavgio.sys [2009-12-29 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:windowssystem32driverscmdguard.sys [2010-1-1 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:windowssystem32driverscmdhlp.sys [2010-1-1 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesaviraantivir desktopsched.exe [2009-12-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:program filesaviraantivir desktopavguard.exe [2009-12-29 185089]
R2 avgntflt;avgntflt;c:windowssystem32driversavgntflt.sys [2009-12-29 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:program filescomodocomodo internet securitycmdagent.exe [2010-1-1 723632]
S3 rootrepeal;rootrepeal;??c:windowssystem32driversrootrepeal.sys --> c:windowssystem32driversrootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-01 18:27:46 25160 ----a-w- c:windowssystem32driverscmdhlp.sys
2010-01-01 18:27:46 179792 ----a-w- c:windowssystem32guard32.dll
2010-01-01 18:27:46 132296 ----a-w- c:windowssystem32driverscmdguard.sys
2010-01-01 12:51:52 0 dc-h--w- c:docume~1alluse~1applic~1~0
2010-01-01 12:07:56 0 d-----w- c:program filesTrend Micro
2009-12-30 13:22:07 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-12-30 13:21:50 0 d-----w- c:program filesSUPERAntiSpyware
2009-12-30 13:21:50 0 d-----w- c:docume~1userapplic~1SUPERAntiSpyware.com
2009-12-30 12:33:23 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-30 12:33:20 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-29 23:27:57 56816 ----a-w- c:windowssystem32driversavgntflt.sys
2009-12-29 23:27:48 0 d-----w- c:program filesAvira
2009-12-29 23:27:48 0 d-----w- c:docume~1alluse~1applic~1Avira
2009-12-29 23:22:06 577536 ----a-w- c:windowssoundman.exe
2009-12-29 23:22:06 4122368 ----a-r- c:windowssystem32driversalcxwdm.sys
2009-12-29 23:22:06 147456 ----a-w- c:windowssystem32RtlCPAPI.dll
2009-12-29 23:22:05 49152 ----a-w- c:windowssystem32ChCfg.exe
2009-12-29 23:22:04 18804736 ----a-w- c:windowssystem32alsndmgr.cpl
2009-12-29 23:22:04 141016 ----a-w- c:windowssystem32alsndmgr.wav
2009-12-29 23:22:04 10528768 ----a-w- c:windowssystem32RTLCPL.exe
2009-12-29 23:19:37 0 d-----w- c:program filesRealtek AC97
2009-12-29 23:19:31 315392 ----a-w- c:windowsalcupd.exe
2009-12-29 23:19:31 217088 ----a-w- c:windowsalcrmv.exe
2009-12-29 14:27:19 10520 ------w- c:windowssystem32avgrsstx.dll.install_backup
2009-12-29 14:27:01 0 d-----w- c:docume~1alluse~1applic~1avg8
2009-12-29 13:28:11 0 d-----w- c:docume~1userapplic~1AVG8
2009-12-29 12:42:18 0 d-----w- c:windowssetup.pss
2009-12-29 12:42:15 0 d-----w- C:VundoFix Backups
2009-12-29 12:42:12 0 d-sh--w- c:docume~1userapplic~1SystemProc
2009-12-29 12:42:10 0 d-----w- c:program filescommon filesATI Technologies
2009-12-27 16:30:14 0 d-----w- c:windowstmp
2009-12-27 16:25:41 0 d-----w- c:windowstmpcopy
2009-12-27 16:16:19 0 d-sh--r- C:cmdcons
2009-12-26 03:15:29 6530691 ----a-w- c:program filesAlcohol Soft zipped.zip
2009-12-26 03:14:45 1190667 ----a-w- c:program filesDAEMON Tools ZIPPED.zip
2009-12-26 01:44:50 0 d-----w- c:docume~1userapplic~1Malwarebytes
2009-12-25 20:52:18 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-25 20:52:18 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-25 19:34:25 0 ----a-w- c:windowsUkaperibecid.bin
2009-12-25 19:34:23 120 ----a-w- c:windowsMhopoxiy.dat
2009-12-24 00:40:46 0 d-----w- c:program filesUSB TV
2009-12-20 15:07:46 0 d--h--w- C:$AVG
2009-12-20 15:07:00 0 d-----w- c:docume~1alluse~1applic~1avg9
2009-12-07 19:46:24 0 d-----w- c:windowssystem32wbemRepository
2009-12-07 19:25:38 0 d-----w- c:program filescommon filesLogitech
2009-12-03 21:21:47 0 d-----w- c:docume~1alluse~1applic~1id Software

==================== Find3M ====================

2010-01-01 17:15:12 411368 ----a-w- c:windowssystem32deploytk.dll
2009-12-25 16:45:09 138384 ----a-w- c:windowssystem32driversPnkBstrK.sys
2009-12-25 16:43:20 215128 ----a-w- c:windowssystem32PnkBstrB.exe
2009-12-03 21:21:58 75064 ----a-w- c:windowssystem32PnkBstrA.exe
2009-12-03 21:21:57 2373712 ----a-w- c:windowssystem32pbsvc.exe
2009-11-06 00:38:06 54092 ---ha-w- c:windowssystem32mlfcache.dat
2007-05-24 20:55:44 69585 ----a-w- c:program fileswar3patch.mpq
2006-11-18 21:42:56 3006 ----a-w- c:program filesINSTALL.LOG
2001-01-10 11:23:58 162304 ----a-w- c:program filesUNWISE.EXE
1999-07-07 00:00:00 6 --sh--r- c:windows@@desktop.dat
1999-07-07 00:00:00 6 --sh--r- c:windows@desktop@.dat
2006-03-13 22:42:05 8 --sh--r- c:windowssystem32E98D59285B.sys
2006-05-03 10:06:54 163328 --sh--r- c:windowssystem32flvDX.dll
2009-09-21 20:57:07 900 --sha-w- c:windowssystem32KGyGaAvL.sys
2007-02-21 11:47:16 31232 --sh--r- c:windowssystem32msfDX.dll
2007-12-17 13:43:00 27648 --sh--w- c:windowssystem32Smab0.dll
2008-02-04 19:26:34 151040 --sh--w- c:windowssystem32VistaUltm.dll

============= FINISH: 18:58:20.03 ===============

Oh I forgot to mention, just before posting this I was doing some searching and found HijackThis, downloaded and deleted 2 of the entry things. One was a internetproxy override and the other was a no file one. I still had the redirect problem though

Also! My safe mode still has the blue screen error. This doesn't bother me much because I never use it. Should I address this or leave it?

Merged posts. ~ OB

Attached Files


Edited by PapaLongLegs, 01 January 2010 - 03:30 PM.


BC AdBot (Login to Remove)

 


#2 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 01 January 2010 - 04:25 PM

Another question guys, will this affect other computers on my wifi network? Do browser hijacks do this?

#3 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 01 January 2010 - 06:27 PM

sorry to be a pain guys but I really need an answer to my second question, will this affect other computers on my network? My brother wants to go on his

Thanks, and if anyone can take a look at my logs that would be much appreciated too. Once again sorry for the triple post!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 01 January 2010 - 09:23 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 10 January 2010 - 11:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 13 January 2010 - 07:51 PM

Hi thanks for the response. Here is my new DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 0:44:42.63 on 14/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1000 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.0 [VPS 000000-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\WTMKM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL =
uDefault_Page_URL = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
mDefault_Page_URL = www.spotonuk.com
mSearch Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [igndlm.exe] c:\program files\ign\download manager\DLM.exe /windowsstart /startifwork
uRun: [Steam]
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [EPSON Stylus DX4000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibee.exe /fu "c:\windows\temp\E_SC6.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Windows Media Connect 2] "c:\program files\windows media connect 2\WMCCFG.exe" /StartQuiet
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MacrokeyManager] WTMKM.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ddsysmns] c:\windows\system32\smcrsmm.exe
dRun: [ncsmmlg] c:\windows\system32\acsbvcc.exe
dRun: [mvcupdate] c:\windows\system32\cmdupdlms.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with &ZipScan - c:\progra~1\zipsca~1\zs_ie.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145384821203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {969B3B70-8765-11D5-9809-0050BACBF861} - rundll32.exe advpack.dll,LaunchINFSection c:\program files\cyberlink\mp3powerencoder\Cyber.inf,PerUserStub

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0gx9lvdp.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\0gx9lvdp.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexoneu\ngm\npNxGameeu.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\0gx9lvdp.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-29 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-1-1 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-1-1 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-29 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-29 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-1-1 723632]

=============== Created Last 30 ================

2010-01-01 18:27:46 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-01 18:27:46 179792 ----a-w- c:\windows\system32\guard32.dll
2010-01-01 18:27:46 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-01 12:07:56 0 d-----w- c:\program files\Trend Micro
2009-12-30 13:22:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-30 13:21:50 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-30 13:21:50 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-12-30 12:33:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 12:33:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 23:27:57 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-29 23:27:48 0 d-----w- c:\program files\Avira
2009-12-29 23:27:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-12-29 23:22:06 577536 ----a-w- c:\windows\soundman.exe
2009-12-29 23:22:06 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2009-12-29 23:22:06 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-12-29 23:22:05 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-12-29 23:22:04 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl
2009-12-29 23:22:04 141016 ----a-w- c:\windows\system32\alsndmgr.wav
2009-12-29 23:22:04 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-12-29 23:19:37 0 d-----w- c:\program files\Realtek AC97
2009-12-29 23:19:31 315392 ----a-w- c:\windows\alcupd.exe
2009-12-29 23:19:31 217088 ----a-w- c:\windows\alcrmv.exe
2009-12-29 14:27:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2009-12-29 13:28:11 0 d-----w- c:\docume~1\user\applic~1\AVG8
2009-12-29 12:42:18 0 d-----w- c:\windows\setup.pss
2009-12-29 12:42:15 0 d-----w- C:\VundoFix Backups
2009-12-29 12:42:12 0 d-sh--w- c:\docume~1\user\applic~1\SystemProc
2009-12-29 12:42:10 0 d-----w- c:\program files\common files\ATI Technologies
2009-12-27 16:30:14 0 d-----w- c:\windows\tmp
2009-12-27 16:25:41 0 d-----w- c:\windows\tmpcopy
2009-12-27 16:16:19 0 d-sh--r- C:\cmdcons
2009-12-26 03:15:29 6530691 ----a-w- c:\program files\Alcohol Soft zipped.zip
2009-12-26 03:14:45 1190667 ----a-w- c:\program files\DAEMON Tools ZIPPED.zip
2009-12-26 01:44:50 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2009-12-25 20:52:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 20:52:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-25 19:34:25 0 ----a-w- c:\windows\Ukaperibecid.bin
2009-12-25 19:34:23 120 ----a-w- c:\windows\Mhopoxiy.dat
2009-12-24 00:40:46 0 d-----w- c:\program files\USB TV
2009-12-20 15:07:46 0 d--h--w- C:\$AVG
2009-12-20 15:07:00 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2010-01-01 17:15:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-25 16:45:09 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-25 16:43:20 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-03 21:21:58 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-03 21:21:57 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-06 00:38:06 54092 ---ha-w- c:\windows\system32\mlfcache.dat
2007-05-24 20:55:44 69585 ----a-w- c:\program files\war3patch.mpq
2006-11-18 21:42:56 3006 ----a-w- c:\program files\INSTALL.LOG
2001-01-10 11:23:58 162304 ----a-w- c:\program files\UNWISE.EXE
1999-07-07 00:00:00 6 --sh--r- c:\windows\@@desktop.dat
1999-07-07 00:00:00 6 --sh--r- c:\windows\@desktop@.dat
2006-03-13 22:42:05 8 --sh--r- c:\windows\system32\E98D59285B.sys
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2009-09-21 20:57:07 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sh--w- c:\windows\system32\VistaUltm.dll

============= FINISH: 0:45:26.77 ===============

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 15 January 2010 - 11:47 AM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 17 January 2010 - 12:47 AM

Hello PapaLongLegs,

Another question guys, will this affect other computers on my wifi network? Do browser hijacks do this?

If possible, I would council you to have this computer disconnected from the network as much as possible. Also ensure that file sharing between computers on the network is disabled. Finally, ensure that your brother (or whoever else uses your network) has all programs updated, especially Java, Adobe Reader, Windows Updates, and all security programs. Though some malware can spread among networks, if these steps are followed the risk is minimal. To be safe though, I'd caution against anyone using your network to access sensitive information (finances, etc) until the problem is resolved.

***************************************************

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

***************************************************

.Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
GMER log
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 17 January 2010 - 04:55 PM

Hi thanks for the help!

I ran into a problem with what you requested. The GMER bit went fine, and I have my log. However I should mention that after it, I tried to open google Chrome and got a blue screen! However I restarted and all was back to normal.

So I did GMER correctly but then I tried to do the combofix part. The first problem with this was it was saying I had "avast! antivirus enabled, please disable it or carry on at your own risk". When I uninstalled avast last week! it wasn't on my computer. So I had to reinstall avast! so that I could disable it. Then all went well, Combofix did its thing, found that a file was infected and attempted to remove it. It then prompted me to reboot when it found rootkit activity, so I said OK and upon reboot, combofix started up again (although none of my desktop items appeared, nor did the task bar). It then spent a good 40 mins or so going through each .exe in the windows/system32 folder saying they were infected. The was a lot.

I don't know whether this is normal but I did notice that it always said "attempting to restore file" on each infection, but it never said whether it was successful or not, it just moved onto the next. Anyway it found a lot of infections before finally saying "rebooting windows".

And there it stayed for a good half hour before I decided to manually reboot using the task manager. Upon reboot there was no sign of combofix starting again and there was no combofix.txt on my c:\ drive. There was however a text file called "catchme" on my desktop along with an IE shortcut that I hadn't put there. In the catchme text file there was a list of renamed infections from the combofix text, although Im not sure if its complete.


Anyway here is my gmer log, I may give combofix another go and give it longer to reboot, although it didnt seem to be going anywhere before.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 17:36:25
Windows 5.1.2600 Service Pack 2
Running: bi0k89wg.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\fxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT A127A176 ZwCreateKey
SSDT A127A16C ZwCreateThread
SSDT A127A17B ZwDeleteKey
SSDT A127A185 ZwDeleteValueKey
SSDT A127A18A ZwLoadKey
SSDT A127A158 ZwOpenProcess
SSDT A127A15D ZwOpenThread
SSDT A127A194 ZwReplaceKey
SSDT A127A18F ZwRestoreKey
SSDT A127A180 ZwSetValueKey
SSDT A127A167 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBA7213A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[724] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 009E000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89A2C618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell@ vbAcceleratorSGrid6.cGridCell
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid@ {9BD3A001-42A2-491E-AACA-9512F6CF4CDB}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject@ vbAcceleratorSGrid6.cGridSortObject
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid@ {D2129738-6A78-4BCB-915A-412982CAA23D}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw@ vbAcceleratorSGrid6.IGridCellOwnerDraw
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid@ {DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid@ vbAccelerator Grid Control
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid@ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6171E0FE-6B0B-E336-CEDE-0A3CC72DBFE0}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6171E0FE-6B0B-E336-CEDE-0A3CC72DBFE0}@ianaoabemehbjkofld 0x63 0x61 0x6F 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C2153C2-DCA6-D70E-80E9-45E513918D1F}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 17 January 2010 - 06:09 PM

Hello PapaLongLegs.

Thank you for keeping me informed. Do not attempt to run ComboFix again until I advise you otherwise. Something may be interfering with its operation and we don't want to risk damage to your machine.

Let me work out a solution and I will provide you with further instructions.

~Blade

Edited by Blade Zephon, 17 January 2010 - 06:11 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 19 January 2010 - 08:53 AM

Hello PapaLongLegs

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps may require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Reboot your computer in "Safe Mode" using the F8 method.
To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode with Networking Support". When logging in, do NOT log in under the account titled "Admin" or "Administrator". Log in under your normal user profile.

If you are unable to access Safe Mode, please stop here and let me know.

Please try running ComboFix from Safe Mode. The instructions are reposted for your convenience. Note that you should not need to re-download ComboFix, but the links are provided just in case.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade

In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 20 January 2010 - 11:02 AM

Hi Blade,

Sorry I cannot boot into Safe Mode. The only modes that work are Normal Mode and Debugging Mode.

When I try in Safe Mode, I get a blue screen error saying IRQL_NOT_LESS_OR_EQUAL and at the bottom it has the stop code:

STOP: 0X0000000A (0x3F3F3FFB, 0x000000FF, 0x00000000, 0x804E35E9)

Should I run ComboFix in Debugging Mode? Don't worry I'll wait for your word, thanks

Edited by PapaLongLegs, 20 January 2010 - 11:03 AM.


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 21 January 2010 - 08:41 AM

Hello PapaLongLegs.

Yes. . . please try running ComboFix in Debugging mode.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 22 January 2010 - 10:25 AM

Hi,

Debugging mode gave the same results, it stopped at rebooting windows...

However, I then found out what was stopping Combofix. My hard drive had filled itself! There was a folder called Qoobox under c:\, in it was a file that was 70gb in size! It was made on the 1st january, during all this dodgy business. Anyway I deleted it and reran combofix and it worked!

After googling, I found out that Qoobox is a folder made by combofix, but how was this made before I ever ran the program? Odd.


The log is extremely long so Ive attached it, there was plenty of infections! Almost as soon as it finished I opened up Chrome and tested out the redirect. The problem persisted, I still had redirections! However I noticed that the cache wasnt clear, so I cleared it, and ran CCleaner just to make sure. Ive since had no redirections, but Id like you to do a few more tests to make sure please.

Thanks!

Attached Files


Edited by PapaLongLegs, 22 January 2010 - 10:27 AM.


#14 PapaLongLegs

PapaLongLegs
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 24 January 2010 - 08:52 AM

Okay I am still having problems,

Chrome has seemed to of broken, it won't load up any webpages whatsoever. So Ive been using firefox.

Now I never tested firefox with the redirect problem so I dont know how it handles it, but its acted a little strange. Earlier, I was looking at the properties in My Computer (because Im missing a driver from the repair) and Firefox just popped up with some legal deed website! However it has not redirected me how Chrome used to.

I also tried Safari, but that wont even load it, Ive reinstalled it and whenever I click on the icon, it begins to load up but then stops in its tracks. I get the timer as if its starting but it doesn't load up the program.

Anyway as well, Im currently running an Antivir scan and it said it had found "hidden objects" which was odd but then carried on. I will post the log when it has finished.

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:42 PM

Posted 24 January 2010 - 10:57 AM

Hello PapaLongLegs

However, I then found out what was stopping Combofix. My hard drive had filled itself! There was a folder called Qoobox under c:\, in it was a file that was 70gb in size! It was made on the 1st january, during all this dodgy business. Anyway I deleted it and reran combofix and it worked!


Did you delete the entire C:\Qoobox folder, or just the large file? Either way, I really wish you hadn't done that without consulting me first. Do you recall the name of the large file?

***************************************************

It appears that you have a file infector on board your machine. We need to further investigate this by uploading some files for analysis. Please follow the steps below.

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

***************************************************

We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file. Repeat this for all of the below listed files.

c:\windows\regedit.exe
c:\windows\explorer.exe
c:\windows\system32\drivers\atapi.sys

If you get the message that the file has already been scanned before, please click Reanalyze file now.
Please post back the results of the scan in your next post.

If Virustotal is busy, please try the same at Jotti

~Blade


In your next reply, please include the following:
VirusTotal/Jotti results

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users