Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google Redirect victim - help pls?


  • This topic is locked This topic is locked
3 replies to this topic

#1 NavarraUK

NavarraUK

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 10 January 2010 - 11:34 AM

Hi

I have the google redirect issue with links i click on in google and get ads popping up randomly.

I use safari mainly and am on windows 7.

Here is the DDS log and attachments

thanks in advance




DDS (Ver_09-12-01.01) - NTFSx86
Run by mnavarra at 16:20:05.15 on 10/01/2010
Internet Explorer: 8.0.7100.0 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.44.1033.18.2550.714 [GMT 0:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
D:\Office14\GROOVEMN.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\mnavarra\Desktop\OTL.exe
C:\Users\mnavarra\AppData\Local\Temp\87ljbcav.tmp\z53ta3yj.exe
C:\Users\mnavarra\AppData\Local\Temp\RarSFX0\r62bc6.exe
C:\Users\mnavarra\AppData\Local\Temp\RarSFX0\97pp3XP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Users\mnavarra\AppData\Local\Temp\5ojcbr7k.tmp\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=169.254.122.133:3128;https=169.254.122.133:3128;socks=169.254.122.133:1080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\mnavarra\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [GrooveMonitor] d:\office14\GROOVEMN.EXE
mRun: [BCSSync] "d:\office14\BCSSync.exe" /DelayServices
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
dRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
StartupFolder: c:\users\mnavarra\appdata\roaming\micros~1\windows\startm~1\programs\startup\pregna~1.lnk - c:\program files\pregnancy desktop\Pregnancy Desktop.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
IE: S&end to OneNote - d:\office14\ONBttnIE.dll/105
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
TCP: 565727F63707F647 = 169.254.57.227
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.6 beta 1\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox 3.6 beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", true);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox 3.6 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-10 207792]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-6 114768]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-12-15 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-6 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-5-6 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-4 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-10 112592]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-4-22 229888]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2009-6-5 32256]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-4-9 4231168]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-4-22 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-4-22 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-4-22 661504]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-4 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-4 352920]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-7-24 30560]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-5-29 17408]

=============== Created Last 30 ================

2010-01-10 16:04:14 0 d-----w- c:\users\mnavarra\DoctorWeb
2010-01-10 15:05:27 882 ----a-w- c:\windows\RegSDImport.xml
2010-01-10 15:05:27 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-10 15:05:27 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-10 15:05:26 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-10 15:05:26 131 ----a-w- c:\windows\IDB.zip
2010-01-10 15:05:26 1152444 ----a-w- c:\windows\UDB.zip
2010-01-10 15:05:25 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-10 15:05:25 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-10 15:03:21 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-10 15:03:21 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-10 15:03:21 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-10 15:03:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-10 15:03:10 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-10 15:03:10 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-10 15:03:10 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-10 15:02:50 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-10 15:02:50 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-10 15:01:36 0 d-----w- c:\program files\common files\PC Tools
2010-01-10 15:01:35 0 d-----w- c:\users\mnavarra\appdata\roaming\PC Tools
2010-01-10 15:01:35 0 d-----w- c:\programdata\PC Tools
2010-01-10 15:01:35 0 d-----w- c:\program files\Spyware Doctor
2010-01-10 11:40:00 0 d-----w- c:\program files\Trend Micro
2010-01-10 11:36:33 0 d---a-w- c:\programdata\TEMP
2010-01-10 11:36:24 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-10 11:36:22 0 d-----w- c:\program files\SpywareBlaster
2010-01-10 11:25:29 0 d-sh--w- C:\$RECYCLE.BIN
2010-01-10 10:54:45 77312 ----a-w- c:\windows\MBR.exe
2010-01-10 10:54:45 261632 ----a-w- c:\windows\PEV.exe
2010-01-10 10:54:45 161792 ----a-w- c:\windows\SWREG.exe
2010-01-10 10:54:44 98816 ----a-w- c:\windows\sed.exe
2010-01-09 20:51:33 0 d-----w- c:\users\mnavarra\appdata\roaming\Malwarebytes
2010-01-09 20:51:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 20:51:09 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-09 20:51:07 0 d-----w- c:\programdata\Malwarebytes
2010-01-09 20:51:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 20:51:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 20:50:37 0 d-----w- c:\users\mnavarra\appdata\roaming\SUPERAntiSpyware.com
2010-01-09 20:50:37 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-09 20:50:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-09 19:10:28 0 d-----w- c:\program files\Microsoft LifeCam
2010-01-09 19:09:06 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-01-08 23:05:50 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-08 23:05:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-02 13:57:36 0 d-----w- c:\users\mnavarra\appdata\roaming\EA
2010-01-01 01:23:35 0 d-----w- c:\program files\TweetDeck
2009-12-30 20:34:12 0 d-----w- c:\program files\common files\xing shared
2009-12-30 16:28:47 0 d-----w- C:\found.000
2009-12-30 08:48:23 0 d-----w- c:\program files\Sky Broadband
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2010-01-08 22:34:48 187432 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-04 22:51:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-15 20:39:01 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-04-22 09:01:08 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-04-22 09:01:08 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-04-22 08:14:13 174 --sha-w- c:\program files\desktop.ini
2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-04-22 04:38:41 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-04-22 04:38:39 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-27 04:24:20 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-05-12 16:01:20 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-05-06 13:37:31 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-04-22 05:19:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe

============= FINISH: 16:23:44.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 NavarraUK

NavarraUK
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 10 January 2010 - 11:59 AM

Also, here is todays latest GMER log file after scan

thanks

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-10 16:58:47
Windows 6.1.7100
Running: gmer.exe; Driver: C:\Users\mnavarra\AppData\Local\Temp\kwtdqkob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x93831D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x93832442]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x83BC8CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x83BC8ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x83BC90D8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x9383258E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x93835CC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x93835CF8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x938324F2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x93831E7A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x9383206C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x9383219E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x93835DCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x93835D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x93835D68]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x93835D9A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x93831CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x938325EE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x93835C66]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x93831C88]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x83BC8984]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x93831C2C]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030104
INT 0x61 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys 93887800
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83018634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83018898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830311A8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 866AD240
Device \FileSystem\Ntfs \Ntfs 8918D588
Device \FileSystem\Ntfs \Ntfs 88F6A098
Device \FileSystem\Ntfs \Ntfs 88EB8098
Device \FileSystem\Ntfs \Ntfs 8959F900
Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 860D0618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LazyCheckPointUpdateInterval 604800

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 AM

Posted 16 January 2010 - 12:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 AM

Posted 23 January 2010 - 08:31 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users