Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect in Firefox and IE


  • This topic is locked This topic is locked
27 replies to this topic

#1 niio

niio

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 19 January 2010 - 08:48 PM

Clicking on google search results sends the browser to an ad page. This happens in both IE and Firefox. I got several viruses from a PDF problem, all but one (I think) have been cleaned (via freefixer) and Adobe reader updated to most current. AdAware, AVG, and Malwarebytes all come up clean. I found which IP addresses it uses to get the redirect links using Sygate firewall and disabled access to them so I don't get the ad pages anymore, but the malware still tries until it gets a network timeout.

Here is the HiJackThis log, thanks in advance for the help.

********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:24 PM, on 1/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by121w.bay121.mail.live.com/mail/In...spx?n=950976631
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O24 - Desktop Component 0: (no name) - D:\wallpaper\antartica1.jpg
O24 - Desktop Component 1: (no name) - D:\wallpaper\antartica2neg.jpg
O24 - Desktop Component 2: (no name) - D:\wallpaper\antartica3.jpg
O24 - Desktop Component 3: (no name) - D:\wallpaper\antartica2.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\user\Desktop\solar-canopy.jpg
O24 - Desktop Component 5: (no name) - http://i14.ebayimg.com/01/i/001/26/47/5b54_12.JPG

--
End of file - 5577 bytes


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 25 January 2010 - 12:56 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 25 January 2010 - 04:40 PM

No problem with the delay, I'm surprised you are able to even get to the thousands of requests for help.

Here are the requested files. The instructions for attach said to put it inline, though the note in the file said to zip and attach. I have put it inline according to the instructions.

Symptoms are as before. Clicking on the result of a google search forwards to some other ad page. I currently have blocked by firewall all the sites which the malware uses to get page links, so now the browser just hangs until the network times out. I also get an occasional popup ad, though these may be from websites.

Thanks for the help.

****************

DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 13:00:40.59 on Mon 01/25/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.344 [GMT -8:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://by121w.bay121.mail.live.com/mail/InboxLight.aspx?n=950976631
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [<NO NAME>]
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~2.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
Trusted Zone: ensenta.com\webdeposits
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli dtmszh.dll
IFEO: taskmgr.exe - "c:\program files\process explorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\v7gk62p8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\local settings\application data\huludesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4} - c:\documents and settings\user\local settings\application data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-6 64288]
R2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2008-10-14 611424]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-25 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-25 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-11-25 42112]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-01-20 00:54:07 0 d-----w- c:\program files\Trend Micro
2010-01-20 00:53:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 11:56:29 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-01-19 11:56:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 11:56:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 11:56:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:56:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 10:31:26 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-01-19 10:22:31 0 d-----w- c:\docume~1\user\applic~1\FreeFixer
2010-01-19 10:22:26 0 d-----w- c:\program files\FreeFixer
2010-01-17 06:42:15 0 d-----w- C:\temp backup d
2010-01-06 23:26:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-01 02:43:38 0 d-----w- c:\docume~1\user\applic~1\r2 Studios
2010-01-01 02:43:38 0 d-----w- c:\docume~1\alluse~1\applic~1\r2 Studios
2010-01-01 02:43:33 0 d-----w- c:\program files\r2 Studios
2009-12-30 17:28:00 0 d-----w- c:\program files\process explorer
2009-12-30 04:22:51 0 d--h--w- C:\$AVG
2009-12-30 04:22:18 0 d-----w- c:\program files\AVG
2009-12-30 04:22:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-30 04:02:55 10752 ----a-w- c:\windows\DCEBoot.exe
2009-12-30 03:53:29 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 03:23:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 01:35:49 72192 ----a-w- c:\windows\system32\tasklist.exe
2009-12-30 01:07:58 120 ----a-w- c:\windows\Acagunumulopo.dat
2009-12-30 01:07:58 0 ----a-w- c:\windows\Fgavobo.bin

==================== Find3M ====================

2009-10-19 18:12:59 88 --sh--r- c:\windows\system32\0D5CAE19B8.sys
2009-10-19 18:13:04 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:01:16.90 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume3
Install Date: 7/21/2006 11:34:18 AM
System Uptime: 1/23/2010 12:16:35 AM (61 hours ago)

Motherboard: Dell Inc. | | 0FJ030
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 104.904 GiB free.
D: is FIXED (NTFS) - 186 GiB total, 176.663 GiB free.
H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP722: 10/23/2009 1:27:37 PM - System Checkpoint
RP723: 10/26/2009 9:40:15 PM - System Checkpoint
RP724: 10/28/2009 11:28:42 AM - System Checkpoint
RP725: 10/29/2009 5:51:01 PM - System Checkpoint
RP726: 11/1/2009 6:56:33 PM - System Checkpoint
RP727: 11/3/2009 3:11:07 PM - System Checkpoint
RP728: 11/4/2009 8:39:21 PM - System Checkpoint
RP729: 11/8/2009 8:56:22 PM - System Checkpoint
RP730: 11/10/2009 1:09:41 AM - System Checkpoint
RP731: 11/12/2009 1:12:36 PM - System Checkpoint
RP732: 11/13/2009 6:21:00 PM - System Checkpoint
RP733: 11/14/2009 7:07:45 PM - System Checkpoint
RP734: 11/16/2009 4:01:34 PM - System Checkpoint
RP735: 11/17/2009 5:34:12 PM - System Checkpoint
RP736: 11/18/2009 9:07:24 PM - System Checkpoint
RP737: 11/20/2009 2:16:36 PM - System Checkpoint
RP738: 11/24/2009 4:19:50 PM - System Checkpoint
RP739: 11/25/2009 10:06:50 PM - System Checkpoint
RP740: 12/1/2009 12:39:52 AM - System Checkpoint
RP741: 12/1/2009 6:37:56 PM - Removed Google Earth.
RP742: 12/4/2009 1:49:31 PM - System Checkpoint
RP743: 12/5/2009 2:17:06 PM - System Checkpoint
RP744: 12/9/2009 10:30:21 AM - System Checkpoint
RP745: 12/10/2009 2:11:44 PM - System Checkpoint
RP746: 12/12/2009 3:26:56 PM - System Checkpoint
RP747: 12/15/2009 3:42:48 PM - System Checkpoint
RP748: 12/16/2009 4:16:26 PM - System Checkpoint
RP749: 12/18/2009 9:05:16 AM - System Checkpoint
RP750: 12/29/2009 6:05:55 PM - System Checkpoint
RP751: 12/29/2009 8:21:46 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP752: 12/29/2009 8:22:17 PM - Installed AVG Free 9.0
RP753: 12/29/2009 9:38:25 PM - Removed Adobe Reader 8
RP754: 12/29/2009 9:39:53 PM - Installed Adobe Reader 9.2.
RP755: 12/30/2009 12:29:05 AM - Avg8 Update
RP756: 12/30/2009 1:52:14 AM - Removed AVG Free 9.0
RP757: 12/30/2009 1:56:34 AM - Installed AVG Free 9.0
RP758: 12/30/2009 11:14:29 AM - Removed Google SketchUp 6
RP759: 12/30/2009 11:14:39 AM - Removed Google SketchUp 6
RP760: 12/31/2009 3:01:43 PM - System Checkpoint
RP761: 1/2/2010 12:10:10 AM - System Checkpoint
RP762: 1/3/2010 11:12:47 PM - System Checkpoint
RP763: 1/5/2010 8:35:40 PM - Removed Google Earth.
RP764: 1/6/2010 9:09:32 PM - System Checkpoint
RP765: 1/12/2010 9:33:49 AM - System Checkpoint
RP766: 1/14/2010 11:54:39 AM - System Checkpoint
RP767: 1/19/2010 6:53:41 AM - System Checkpoint
RP768: 1/20/2010 8:18:23 PM - System Checkpoint

==== Installed Programs ======================

3D Home Architect 2
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.2
Adobe Shockwave Player
AlgoLab R2V Conversion Toolkit 2.97.58
Alibre Design
AOLIcon
Apple Application Support
Apple Software Update
Aspire Trial 1.0
Autodesk Design Review 2008
Autodesk DWF Viewer 7
AutoUpdate
Canon MF Drivers
Canon MF Toolbox 4.7.0.0.mf03
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Diesel-RK NET 4.1
Digital Content Portal
DivX
DivX Converter
DivX Player
DivX Web Player
DriveImage XML
DVD Decrypter (Remove Only)
EAGLE 4.16r1
eDrawings 2008
eMachineShop
ExpressPCB
free2Design
FreeFixer
Futuremark SystemInfo
Garmin MapSource
Garmin Mobile PC v5.00.50
Google Earth
Google SketchUp 7
Google Update Helper
GVPtoAVI 1.0
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB926239)
Hulu Desktop
Intel Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Japanese Fonts Support For Adobe Reader 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 4
Learn2 Player (Uninstall Only)
Logitech SetPoint
Macromedia Flash Player
Malwarebytes' Anti-Malware
MCU
MediaLife
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft English TTS Engine
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Streets & Trips 2008
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Mozilla Firefox (3.5.6)
MS XML parser 4.0 sp2
Musicmatch for Windows Media Player
MWSnap 3
MyHD
Network Recording Player
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OmniPage SE 2.0
OpenOffice.org 2.4
PDFCreator
Presto! PageManager 6.03
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SAPI Wrapper
Sean O'Connor's Windows Games
Search Assist
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
SequoiaView
SketchyPhysics2b1
Sonic Activation Module
Sonic Update Manager
Startup Delayer v2.5 (build 138)
Sygate Personal Firewall
System Requirements Lab
TTS Wrapper
Update for Windows XP (KB912945)
Update for Windows XP (KB931836)
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB891781
WinZip
Yahoo! SiteBuilder

==== Event Viewer Messages From Past Week ========

1/19/2010 2:55:41 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate1c99497aa7b976e with arguments "/comsvc" in order to run the server: {E225E692-4B47-4777-9BED-4FD7FE257F0E}
1/19/2010 1:59:41 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
1/19/2010 1:47:29 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000003, parameter2 00000002, parameter3 00000001, parameter4 f744521e.

==== End Of File ===========================




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/25 13:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xB8236000 Size: 872448 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF6987000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5E7A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf6822b30

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76a287e

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf68226f0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf6822470

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf6822c50

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76a2bfe

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf6822990

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf68228d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf6822d60

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: firefox.exe (PID: 3864) Address: 0x01060000 Size: 176128

==EOF==

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 25 January 2010 - 05:28 PM

Hello again,

Thanks for the logs and description. We're going to start off with Combofix.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 25 January 2010 - 06:34 PM

Here is the combofix log

**********************

ComboFix 10-01-25.02 - user 01/25/2010 15:14:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.707 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\1.wmv
c:\documents and settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}
c:\documents and settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}\chrome.manifest
c:\documents and settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}\chrome\content\_cfg.js
c:\documents and settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}\chrome\content\overlay.xul
c:\documents and settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}\install.rdf
c:\windows\etecogira.dll
c:\windows\system32\bszip.dll
c:\windows\system32\nvsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NVSvc
-------\Service_NVSvc


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-20 23:26 . 2010-01-20 23:26 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-20 00:54 . 2010-01-20 00:54 -------- d-----w- c:\program files\Trend Micro
2010-01-20 00:53 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-01-19 11:56 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 11:56 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 10:58 . 2009-12-17 00:05 347136 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-19 10:58 . 2009-12-17 00:05 340992 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-19 10:58 . 2009-12-17 00:05 43008 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-19 10:58 . 2009-12-17 00:05 1452032 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-19 10:58 . 2009-12-17 00:05 471040 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-01-19 10:31 . 2007-08-14 21:04 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\FreeFixer
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\documents and settings\user\Application Data\FreeFixer
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\program files\FreeFixer
2010-01-17 06:42 . 2010-01-17 08:04 -------- d-----w- C:\temp backup d
2010-01-06 23:26 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\documents and settings\user\Application Data\r2 Studios
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\r2 Studios
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\program files\r2 Studios
2009-12-30 17:28 . 2009-12-30 17:28 -------- d-----w- c:\program files\process explorer
2009-12-30 08:29 . 2009-12-30 04:22 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-30 08:29 . 2009-12-30 04:22 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-30 08:29 . 2009-12-30 04:22 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-30 08:29 . 2009-12-30 04:22 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-30 08:29 . 2009-12-30 04:22 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-30 04:22 . 2009-12-30 04:39 -------- d-----w- C:\$AVG
2009-12-30 04:22 . 2009-12-30 04:22 -------- d-----w- c:\program files\AVG
2009-12-30 04:22 . 2009-12-30 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-30 04:02 . 2009-12-30 04:02 10752 ----a-w- c:\windows\DCEBoot.exe
2009-12-30 03:53 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 03:23 . 2010-01-06 23:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 01:35 . 2009-12-30 01:35 72192 ----a-w- c:\windows\system32\tasklist.exe
2009-12-30 01:07 . 2010-01-19 09:47 120 ----a-w- c:\windows\Acagunumulopo.dat
2009-12-30 01:07 . 2010-01-19 09:47 0 ----a-w- c:\windows\Fgavobo.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 23:22 . 2006-07-26 22:47 -------- d-----w- c:\documents and settings\user\Application Data\OpenOffice.org2
2010-01-20 23:26 . 2010-01-06 23:25 372280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-20 23:26 . 2010-01-06 23:25 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-20 08:11 . 2008-06-06 12:27 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-19 13:41 . 2006-07-13 17:14 -------- d-----w- c:\program files\Google
2010-01-19 13:34 . 2006-07-13 17:14 -------- d-----w- c:\program files\BAE
2010-01-08 23:27 . 2010-01-06 23:25 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-06 23:26 . 2010-01-06 23:25 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-06 23:25 . 2010-01-06 23:25 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-06 23:25 . 2010-01-06 23:25 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-06 23:25 . 2010-01-06 23:25 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-06 23:25 . 2010-01-06 23:25 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-30 20:53 . 2006-10-21 23:00 -------- d-----w- c:\documents and settings\user\Application Data\Alibre Design
2009-11-29 00:22 . 2008-08-12 20:21 -------- d-----w- c:\program files\eMachineShop
2009-10-19 18:12 . 2006-07-31 22:35 88 --sh--r- c:\windows\system32\0D5CAE19B8.sys
2009-10-19 18:13 . 2006-11-10 18:31 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2009-03-08 147456]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-7-22 581632]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= d:\wallpaper\antartica1.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= d:\wallpaper\antartica2neg.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= d:\wallpaper\antartica3.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= d:\wallpaper\antartica2.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\documents and settings\user\Desktop\solar-canopy.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/6/2010 3:26 PM 64288]
R2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [10/14/2008 10:44 AM 611424]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/25/2008 8:32 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/25/2008 8:32 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/25/2008 8:32 PM 42112]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://by121w.bay121.mail.live.com/mail/InboxLight.aspx?n=950976631
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
Trusted Zone: ensenta.com\webdeposits
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\HuluDesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 15:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2904137411-3170793651-3659024585-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2904137411-3170793651-3659024585-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FF14193E-9089-1749-3A99-4A61026BB145}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haelobpjmfooloam"=hex:61,61,00,00
"haelobpjgfiopega"=hex:61,61,00,00
"iailcdphlkcghcfedi"=hex:6a,61,68,69,66,62,69,70,67,65,61,6f,67,69,67,6b,6c,66,
6f,6a,00,04
"haclianpmopgljag"=hex:6b,61,65,68,70,63,69,6c,67,65,63,6d,61,67,64,63,6d,6a,
64,6b,66,6e,00,01

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FF14193E-9089-1749-3A99-4A61026BB145}\InProcServer32*]
"jaglbeckjgoaobjmdbmm"=hex:6a,61,68,69,66,62,69,70,67,65,61,6f,67,69,67,6b,6c,
66,6f,6a,00,04
"iaglldamkipojanghp"=hex:6b,61,65,68,70,63,69,6c,67,65,63,6d,61,67,64,63,6d,6a,
64,6b,66,6e,00,01
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1640)
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\System32\DLA\DLACTRLW.EXE
c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
c:\program files\Dell\Media Experience\DMXLauncher.exe
.
**************************************************************************
.
Completion time: 2010-01-25 15:27:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 23:27

Pre-Run: 112,627,290,112 bytes free
Post-Run: 115,813,679,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9EA0257C9A4FDC7227983AC05B95BF9F


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 26 January 2010 - 11:25 AM

Hi.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FF14193E-9089-1749-3A99-4A61026BB145}\InProcServer32*]
    [HKEY_USERS\S-1-5-21-2904137411-3170793651-3659024585-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FF14193E-9089-1749-3A99-4A61026BB145}*]
    Driver::
    cpuz130
    File::
    c:\docume~1\user\LOCALS~1\Temp\cpuz130\cpuz_x32.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

--
Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 26 January 2010 - 12:42 PM

Here are the logs.

MS Security center was in the tray, but when i opened it to disable it, it just hung. I could not kill the process using taskmanager either. It would generate another icon in the tray, and the original would never go away. This was installed or enabled when the recovery console was installed in the last set of instructions.

MWB came up clean.

*************

ComboFix 10-01-26.01 - user 01/26/2010 8:56.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.633 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\cfscript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\docume~1\user\LOCALS~1\Temp\cpuz130\cpuz_x32.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPUZ130
-------\Service_cpuz130


((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-20 23:26 . 2010-01-20 23:26 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-20 00:54 . 2010-01-20 00:54 -------- d-----w- c:\program files\Trend Micro
2010-01-20 00:53 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-01-19 11:56 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:56 . 2010-01-19 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 11:56 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 10:58 . 2009-12-17 00:05 347136 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-19 10:58 . 2009-12-17 00:05 340992 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-19 10:58 . 2009-12-17 00:05 43008 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-19 10:58 . 2009-12-17 00:05 1452032 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-19 10:58 . 2009-12-17 00:05 471040 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-01-19 10:31 . 2007-08-14 21:04 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\FreeFixer
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\documents and settings\user\Application Data\FreeFixer
2010-01-19 10:22 . 2010-01-19 10:22 -------- d-----w- c:\program files\FreeFixer
2010-01-17 06:42 . 2010-01-17 08:04 -------- d-----w- C:\temp backup d
2010-01-06 23:26 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\documents and settings\user\Application Data\r2 Studios
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\r2 Studios
2010-01-01 02:43 . 2010-01-01 02:43 -------- d-----w- c:\program files\r2 Studios
2009-12-30 17:28 . 2009-12-30 17:28 -------- d-----w- c:\program files\process explorer
2009-12-30 08:29 . 2009-12-30 04:22 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-30 08:29 . 2009-12-30 04:22 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-30 08:29 . 2009-12-30 04:22 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-30 08:29 . 2009-12-30 04:22 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-30 08:29 . 2009-12-30 04:22 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-30 04:22 . 2009-12-30 04:39 -------- d-----w- C:\$AVG
2009-12-30 04:22 . 2009-12-30 04:22 -------- d-----w- c:\program files\AVG
2009-12-30 04:22 . 2009-12-30 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-30 04:02 . 2009-12-30 04:02 10752 ----a-w- c:\windows\DCEBoot.exe
2009-12-30 03:53 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 03:23 . 2010-01-06 23:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 01:35 . 2009-12-30 01:35 72192 ----a-w- c:\windows\system32\tasklist.exe
2009-12-30 01:07 . 2010-01-19 09:47 120 ----a-w- c:\windows\Acagunumulopo.dat
2009-12-30 01:07 . 2010-01-19 09:47 0 ----a-w- c:\windows\Fgavobo.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 17:04 . 2006-07-26 22:47 -------- d-----w- c:\documents and settings\user\Application Data\OpenOffice.org2
2010-01-26 05:46 . 2008-06-06 12:27 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-20 23:26 . 2010-01-06 23:25 372280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-20 23:26 . 2010-01-06 23:25 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-19 13:41 . 2006-07-13 17:14 -------- d-----w- c:\program files\Google
2010-01-19 13:34 . 2006-07-13 17:14 -------- d-----w- c:\program files\BAE
2010-01-08 23:27 . 2010-01-06 23:25 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-06 23:26 . 2010-01-06 23:25 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-06 23:25 . 2010-01-06 23:25 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-06 23:25 . 2010-01-06 23:25 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-06 23:25 . 2010-01-06 23:25 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-06 23:25 . 2010-01-06 23:25 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-30 20:53 . 2006-10-21 23:00 -------- d-----w- c:\documents and settings\user\Application Data\Alibre Design
2009-11-29 00:22 . 2008-08-12 20:21 -------- d-----w- c:\program files\eMachineShop
2009-10-19 18:12 . 2006-07-31 22:35 88 --sh--r- c:\windows\system32\0D5CAE19B8.sys
2009-10-19 18:13 . 2006-11-10 18:31 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2009-03-08 147456]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-7-22 581632]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= d:\wallpaper\antartica1.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= d:\wallpaper\antartica2neg.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= d:\wallpaper\antartica3.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= d:\wallpaper\antartica2.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\documents and settings\user\Desktop\solar-canopy.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/6/2010 3:26 PM 64288]
R2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [10/14/2008 10:44 AM 611424]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/25/2008 8:32 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/25/2008 8:32 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/25/2008 8:32 PM 42112]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]

2010-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://by121w.bay121.mail.live.com/mail/InboxLight.aspx?n=950976631
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
Trusted Zone: ensenta.com\webdeposits
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\HuluDesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 09:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2904137411-3170793651-3659024585-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3532)
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\System32\DLA\DLACTRLW.EXE
c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
c:\program files\Dell\Media Experience\DMXLauncher.exe
.
**************************************************************************
.
Completion time: 2010-01-26 09:10:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 17:10
ComboFix2.txt 2010-01-25 23:27

Pre-Run: 115,838,877,696 bytes free
Post-Run: 115,806,826,496 bytes free

- - End Of File - - C63F906476E24AAC6CDD44FD3D71F4D4


Malwarebytes' Anti-Malware 1.44
Database version: 3640
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/26/2010 9:31:35 AM
mbam-log-2010-01-26 (09-31-35).txt

Scan type: Quick Scan
Objects scanned: 114683
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 26 January 2010 - 01:20 PM

Okay, thanks for letting me know. It's looking good so far. Let's just get an online scan performed, please note that the scan may take a while.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 26 January 2010 - 07:17 PM

Well, that took a long time. Kaspersky ran for six hours, but found a few things. Here are the logs. The redirects are still occuring.

*************

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 26, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 26, 2010 16:57:21
Records in database: 3373459
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\

Scan statistics:
Objects scanned: 229130
Threats found: 6
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 05:05:08


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\user\Local Settings\Application Data\{E07A4BFC-D4BD-4230-8A6E-3A21A85F5FC4}\chrome\content\overlay.xul.vir Infected: Trojan.JS.Gord.a 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP766\A0101665.exe Infected: Trojan-Dropper.Win32.HDrop.aj 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP766\A0101788.dll Infected: Backdoor.Win32.Papras.f 1
C:\temp downloads\downloads\dvd ripper\daemon403-x86.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\temp downloads\downloads\proxy\ccproxysetup.exe Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 2
C:\WINDOWS\system32\fjhdyfhsn.bat Infected: Trojan.BAT.DelFiles.ez 1

Selected area has been scanned.



DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 16:07:24.76 on Tue 01/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.663 [GMT -8:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://by121w.bay121.mail.live.com/mail/InboxLight.aspx?n=950976631
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~2.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ensenta.com\webdeposits
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\v7gk62p8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\v7gk62p8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\user\local settings\application data\huludesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-26 18:24:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-25 23:11:46 0 d-sha-r- C:\cmdcons
2010-01-25 23:10:24 98816 ----a-w- c:\windows\sed.exe
2010-01-25 23:10:24 77312 ----a-w- c:\windows\MBR.exe
2010-01-25 23:10:24 261632 ----a-w- c:\windows\PEV.exe
2010-01-25 23:10:24 161792 ----a-w- c:\windows\SWREG.exe
2010-01-20 00:54:07 0 d-----w- c:\program files\Trend Micro
2010-01-20 00:53:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 11:56:29 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-01-19 11:56:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 11:56:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 11:56:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:56:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 10:31:26 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-01-19 10:22:31 0 d-----w- c:\docume~1\user\applic~1\FreeFixer
2010-01-19 10:22:26 0 d-----w- c:\program files\FreeFixer
2010-01-17 06:42:15 0 d-----w- C:\temp backup d
2010-01-06 23:26:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-01 02:43:38 0 d-----w- c:\docume~1\user\applic~1\r2 Studios
2010-01-01 02:43:38 0 d-----w- c:\docume~1\alluse~1\applic~1\r2 Studios
2010-01-01 02:43:33 0 d-----w- c:\program files\r2 Studios
2009-12-30 17:28:00 0 d-----w- c:\program files\process explorer
2009-12-30 04:22:51 0 d-----w- C:\$AVG
2009-12-30 04:22:18 0 d-----w- c:\program files\AVG
2009-12-30 04:22:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-30 04:02:55 10752 ----a-w- c:\windows\DCEBoot.exe
2009-12-30 03:53:29 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 03:23:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 01:35:49 72192 ----a-w- c:\windows\system32\tasklist.exe
2009-12-30 01:07:58 120 ----a-w- c:\windows\Acagunumulopo.dat
2009-12-30 01:07:58 0 ----a-w- c:\windows\Fgavobo.bin

==================== Find3M ====================

2009-10-19 18:12:59 88 --sh--r- c:\windows\system32\0D5CAE19B8.sys
2009-10-19 18:13:04 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:08:29.21 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume3
Install Date: 7/21/2006 11:34:18 AM
System Uptime: 1/26/2010 9:04:12 AM (7 hours ago)

Motherboard: Dell Inc. | | 0FJ030
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 107.708 GiB free.
D: is FIXED (NTFS) - 186 GiB total, 176.666 GiB free.
H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP725: 10/29/2009 5:51:01 PM - System Checkpoint
RP726: 11/1/2009 6:56:33 PM - System Checkpoint
RP727: 11/3/2009 3:11:07 PM - System Checkpoint
RP728: 11/4/2009 8:39:21 PM - System Checkpoint
RP729: 11/8/2009 8:56:22 PM - System Checkpoint
RP730: 11/10/2009 1:09:41 AM - System Checkpoint
RP731: 11/12/2009 1:12:36 PM - System Checkpoint
RP732: 11/13/2009 6:21:00 PM - System Checkpoint
RP733: 11/14/2009 7:07:45 PM - System Checkpoint
RP734: 11/16/2009 4:01:34 PM - System Checkpoint
RP735: 11/17/2009 5:34:12 PM - System Checkpoint
RP736: 11/18/2009 9:07:24 PM - System Checkpoint
RP737: 11/20/2009 2:16:36 PM - System Checkpoint
RP738: 11/24/2009 4:19:50 PM - System Checkpoint
RP739: 11/25/2009 10:06:50 PM - System Checkpoint
RP740: 12/1/2009 12:39:52 AM - System Checkpoint
RP741: 12/1/2009 6:37:56 PM - Removed Google Earth.
RP742: 12/4/2009 1:49:31 PM - System Checkpoint
RP743: 12/5/2009 2:17:06 PM - System Checkpoint
RP744: 12/9/2009 10:30:21 AM - System Checkpoint
RP745: 12/10/2009 2:11:44 PM - System Checkpoint
RP746: 12/12/2009 3:26:56 PM - System Checkpoint
RP747: 12/15/2009 3:42:48 PM - System Checkpoint
RP748: 12/16/2009 4:16:26 PM - System Checkpoint
RP749: 12/18/2009 9:05:16 AM - System Checkpoint
RP750: 12/29/2009 6:05:55 PM - System Checkpoint
RP751: 12/29/2009 8:21:46 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP752: 12/29/2009 8:22:17 PM - Installed AVG Free 9.0
RP753: 12/29/2009 9:38:25 PM - Removed Adobe Reader 8
RP754: 12/29/2009 9:39:53 PM - Installed Adobe Reader 9.2.
RP755: 12/30/2009 12:29:05 AM - Avg8 Update
RP756: 12/30/2009 1:52:14 AM - Removed AVG Free 9.0
RP757: 12/30/2009 1:56:34 AM - Installed AVG Free 9.0
RP758: 12/30/2009 11:14:29 AM - Removed Google SketchUp 6
RP759: 12/30/2009 11:14:39 AM - Removed Google SketchUp 6
RP760: 12/31/2009 3:01:43 PM - System Checkpoint
RP761: 1/2/2010 12:10:10 AM - System Checkpoint
RP762: 1/3/2010 11:12:47 PM - System Checkpoint
RP763: 1/5/2010 8:35:40 PM - Removed Google Earth.
RP764: 1/6/2010 9:09:32 PM - System Checkpoint
RP765: 1/12/2010 9:33:49 AM - System Checkpoint
RP766: 1/14/2010 11:54:39 AM - System Checkpoint
RP767: 1/19/2010 6:53:41 AM - System Checkpoint
RP768: 1/20/2010 8:18:23 PM - System Checkpoint
RP769: 1/26/2010 10:23:50 AM - Installed Java™ 6 Update 18

==== Installed Programs ======================

3D Home Architect 2
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.2
Adobe Shockwave Player
AlgoLab R2V Conversion Toolkit 2.97.58
Alibre Design
AOLIcon
Apple Application Support
Apple Software Update
Aspire Trial 1.0
Autodesk Design Review 2008
Autodesk DWF Viewer 7
AutoUpdate
Canon MF Drivers
Canon MF Toolbox 4.7.0.0.mf03
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Diesel-RK NET 4.1
Digital Content Portal
DivX
DivX Converter
DivX Player
DivX Web Player
DriveImage XML
DVD Decrypter (Remove Only)
EAGLE 4.16r1
eDrawings 2008
eMachineShop
ExpressPCB
free2Design
FreeFixer
Futuremark SystemInfo
Garmin MapSource
Garmin Mobile PC v5.00.50
Google Earth
Google SketchUp 7
Google Update Helper
GVPtoAVI 1.0
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB926239)
Hulu Desktop
Intel Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Japanese Fonts Support For Adobe Reader 9
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 18
Java™ 6 Update 4
Learn2 Player (Uninstall Only)
Logitech SetPoint
Macromedia Flash Player
Malwarebytes' Anti-Malware
MCU
MediaLife
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft English TTS Engine
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Streets & Trips 2008
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Mozilla Firefox (3.5.6)
MS XML parser 4.0 sp2
Musicmatch for Windows Media Player
MWSnap 3
MyHD
Network Recording Player
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OmniPage SE 2.0
OpenOffice.org 2.4
PDFCreator
Presto! PageManager 6.03
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SAPI Wrapper
Sean O'Connor's Windows Games
Search Assist
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
SequoiaView
SketchyPhysics2b1
Sonic Activation Module
Sonic Update Manager
Startup Delayer v2.5 (build 138)
Sygate Personal Firewall
System Requirements Lab
TTS Wrapper
Update for Windows XP (KB912945)
Update for Windows XP (KB931836)
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB891781
WinZip
Yahoo! SiteBuilder

==== Event Viewer Messages From Past Week ========

1/26/2010 9:02:56 AM, error: PlugPlayManager [11] - The device Root\LEGACY_CPUZ130\0000 disappeared from the system without first being prepared for removal.
1/26/2010 8:37:32 AM, error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
1/19/2010 2:55:41 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate1c99497aa7b976e with arguments "/comsvc" in order to run the server: {E225E692-4B47-4777-9BED-4FD7FE257F0E}
1/19/2010 2:06:42 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
1/19/2010 1:47:29 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000003, parameter2 00000002, parameter3 00000001, parameter4 f744521e.

==== End Of File ===========================


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 26 January 2010 - 07:37 PM

Hello.

The redirects are still there?

Please delete these files.
QUOTE
C:\WINDOWS\system32\fjhdyfhsn.bat
C:\temp downloads\downloads\dvd ripper\daemon403-x86.exe
C:\temp downloads\downloads\proxy\ccproxysetup.exe


Then please uninstall these older versions of Java.
QUOTE
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 4


Upon completion of that, run GooredFix.

Download and Run GooredFix

Please download GooredFix and save it to your Desktop if you lost your copy.
Alternative Download Mirror #1

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Ensure all Firefox windows are closed at this time.
  • Please double-click GooredFix.exe on your Desktop to run it. If you are using Vista, please right-click and select run as administartor
  • When prompted to run the scan, click Yes.
  • The removal process will begin, please be paitent until it finishes.
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop called GooredFix.txt

---
Then reboot your computer and let me know if you still have the redirect issue.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 26 January 2010 - 08:06 PM

The specified files are deleted and old versions of java removed. Here is the GooredFix log. It ran very quickly. I rebooted; the redirect still occurs.

*************

GooredFix by jpshortstuff (08.01.10.1)
Log created at 16:54 on 26/01/2010 (user)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:57 02/07/2008]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [18:24 26/01/2010]

C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\v7gk62p8.default\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [10:58 19/01/2010]
{71328583-3CA7-4809-B4BA-570A85818FBB} [20:06 25/08/2009]
{c4dc572a-3295-40eb-b30f-b54aa4cdc4b7} [18:27 30/12/2009]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [17:53 08/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:23 26/01/2010]

-=E.O.F=-

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 27 January 2010 - 02:22 PM

Please delete these two files:

c:\windows\Fgavobo.bin
c:\windows\Acagunumulopo.dat

Run a GMER scan for me...

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Also, let me know if the redirect occur in both IE and FF or just one of them?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 27 January 2010 - 09:57 PM

Files are deleted and GMER log follows. It's messy since it's too wide for the screen. If you can't read it I can zip it and send it in attachment. GMER ran for six hours.

The problem is in both Firefox and IE, though when I tried IE after todays scan my computer hung. I am still trying to fix it. (IE) I'll let you know.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-27 18:39:27
Windows 5.1.2600 Service Pack 2
Running: u2wpquuc.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pwtdapod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB121BB30]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76A287E]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB121B6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB121B470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB121BC50]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76A2BFE]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB121B990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB121B8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB121BD60]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72DA8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F72DAB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F72DAC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F72DABD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\iastor \Device\Ide\iaStor0 [F7447018] iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 [F7447018] iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\Fastfat \Fat AEF7CC8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 27 January 2010 - 10:39 PM

Hello.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    iastor.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 27 January 2010 - 11:12 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:06 on 27/01/2010 by user (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\drivers\storage\sata\onboard\iastor.sys --a--- 872064 bytes [16:47 13/07/2006] [10:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\i386\iaStor.sys --a--- 872064 bytes [21:59 21/07/2006] [10:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 872064 bytes [16:47 13/07/2006] [10:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963

-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users