Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


My Browser Search Results are Hijacked. Malware reported. Possible Virus/Trojans??

  • This topic is locked This topic is locked
2 replies to this topic

#1 dhurandar


  • Members
  • 1 posts
  • Local time:04:50 PM

Posted 23 January 2010 - 08:40 PM

Since the last 2 days, I have problems on my computer. It began when I noticed while browsing, that 2-3 sites popped by (redirects) with odd server names or ip addresses. I realized right away that there was some problem and tried to find out more. The first thing I noticed was a T.EXE in c:\ drive and I promptly removed it. I then got a free TrendMicro anti-virus scanning done, it came back with a problem file called 0U949.sys in the System32\drives folder. It would keeping popping backeven after anti-virus cleaning or manual deleting. After I did a 'Safe Boot' of Windows, I was able to get rid of it and have not noticed it since then. I do not have that scan log, but the detailed info from trendmicro site lead to webpage which also mentioned TROJ_AGENT.ISZZ as the trojan name and instructions included how to check and correct specific registry entries, which I verified and found them to be okay in first place.

However, over the next few hours since that incident, it became clear that this was more thant a simple malware problem. The best consistent indicator of the problem is that the browser search results from Google, Bing etc using IE, Firefox, Chrome, all get hijacked and redirected to different weird websites the second time I come around. The first click on the search results seem to work okay, but an additional browser window/tab is also launched with some unknown site trying to load. Then things get messy for subsequent browsing. Also I have consistently noticed that the computer slows down to a crawl after some time during all this work I am trying to do to fix the problem.

Next day, I Tried different anti-virus, etc and got some 'removals' done. Those results are placed here. However, there is still some serious
problem. I have also cleaned up the 'Temporary Internet Files' folder for a couple of users and reduced the browser cache to 8MB. Placed far below two logs from anti-virus, spy-bot

Please see DDS Log and the ATTach.txt as per the instructions on your website

I appreciate your help!!

DDS (Ver_09-12-01.01) - NTFSx86
Run by Abhijit at 20:19:58.21 on Sat 01/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.276 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Abhijit\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\abhijit\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WD NetCenter EasyLink] c:\program files\western digital technologies\netcenter easylink\WDEzLink.exe -s
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uExplorerRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
uExplorerRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} -

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://usvpn2.merial.com/postauthI/epi.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} - hxxp://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.2/TSWeb.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skyline - {3a4f9195-65a8-11d5-85c1-0001023952c1} - c:\program files\skyline\terraexplorer\TerraExplorerX.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-22 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-22 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-22 360584]
R1 FreeOTFE;FreeOTFE;c:\windows\system32\FreeOTFE.sys [2007-2-12 31856]
R1 FreeOTFECypherAES_ltc;FreeOTFECypherAES_ltc;c:\windows\system32\FreeOTFECypherAES_ltc.sys [2007-2-12 47216]
R1 FreeOTFECypherBlowfish;FreeOTFECypherBlowfish;c:\windows\system32\FreeOTFECypherBlowfish.sys [2009-1-8 25200]
R1 FreeOTFECypherCAST5;FreeOTFECypherCAST5;c:\windows\system32\FreeOTFECypherCAST5.sys [2009-1-8 31088]
R1 FreeOTFECypherCAST6_Gladman;FreeOTFECypherCAST6_Gladman;c:\windows\system32\FreeOTFECypherCAST6_Gladman.sys [2009-1-8 29808]
R1 FreeOTFECypherDES;FreeOTFECypherDES;c:\windows\system32\FreeOTFECypherDES.sys [2009-1-8 56816]
R1 FreeOTFECypherMARS_Gladman;FreeOTFECypherMARS_Gladman;c:\windows\system32\FreeOTFECypherMARS_Gladman.sys [2009-1-8 26480]
R1 FreeOTFECypherRC6_ltc;FreeOTFECypherRC6_ltc;c:\windows\system32\FreeOTFECypherRC6_ltc.sys [2009-1-8 26096]
R1 FreeOTFECypherSerpent_Gladman;FreeOTFECypherSerpent_Gladman;c:\windows\system32\FreeOTFECypherSerpent_Gladman.sys [2009-1-8 29168]
R1 FreeOTFECypherTwofish_ltc;FreeOTFECypherTwofish_ltc;c:\windows\system32\FreeOTFECypherTwofish_ltc.sys [2010-1-20 31856]
R1 FreeOTFEHashMD;FreeOTFEHashMD;c:\windows\system32\FreeOTFEHashMD.sys [2010-1-20 16880]
R1 FreeOTFEHashRIPEMD;FreeOTFEHashRIPEMD;c:\windows\system32\FreeOTFEHashRIPEMD.sys [2010-1-20 32624]
R1 FreeOTFEHashSHA;FreeOTFEHashSHA;c:\windows\system32\FreeOTFEHashSHA.sys [2010-1-20 26224]
R1 FreeOTFEHashTiger;FreeOTFEHashTiger;c:\windows\system32\FreeOTFEHashTiger.sys [2010-1-20 22128]
R1 FreeOTFEHashWhirlpool;FreeOTFEHashWhirlpool;c:\windows\system32\FreeOTFEHashWhirlpool.sys [2010-1-20 30704]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-22 285392]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2006-4-10 309829]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2006-4-10 18432]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2006-4-10 68096]
S1 0U949;0U949;\??\c:\windows\system32\drivers\0u949.sys --> c:\windows\system32\drivers\0U949.sys [?]
S2 gupdate1c985a398f8cb18;Google Update Service (gupdate1c985a398f8cb18);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2006-4-10 15360]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2008-10-30 10056]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2008-10-30 20424]
S4 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-2-18 204800]

=============== Created Last 30 ================

2010-01-23 20:47:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 20:47:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-23 20:47:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 20:47:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 06:58:36 135680 ----a-w- C:\services.com.exe
2010-01-23 05:31:37 0 d-----w- C:\cleanup
2010-01-22 22:25:40 0 d--h--w- C:\$AVG
2010-01-22 22:24:19 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 22:24:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 22:24:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 22:23:50 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-22 22:23:27 0 d-----w- c:\program files\AVG
2010-01-22 22:23:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-21 02:33:34 30704 ----a-w- c:\windows\system32\FreeOTFEHashWhirlpool.sys
2010-01-21 02:33:32 22128 ----a-w- c:\windows\system32\FreeOTFEHashTiger.sys
2010-01-21 02:33:30 26224 ----a-w- c:\windows\system32\FreeOTFEHashSHA.sys
2010-01-21 02:33:28 32624 ----a-w- c:\windows\system32\FreeOTFEHashRIPEMD.sys
2010-01-21 02:33:27 16880 ----a-w- c:\windows\system32\FreeOTFEHashMD.sys
2010-01-21 02:33:26 31856 ----a-w- c:\windows\system32\FreeOTFECypherTwofish_ltc.sys
2010-01-21 02:26:52 0 d-----w- c:\program files\FreeOTFE Explorer
2010-01-19 03:27:56 0 d-----w- c:\docume~1\abhijit\applic~1\QuickScan
2009-12-29 18:07:12 0 d-----w- c:\docume~1\abhijit\applic~1\iScreensaver

==================== Find3M ====================

2010-01-03 21:42:50 29168 ----a-w- c:\windows\system32\FreeOTFECypherSerpent_Gladman.sys
2010-01-03 21:42:48 26096 ----a-w- c:\windows\system32\FreeOTFECypherRC6_ltc.sys
2010-01-03 21:42:46 56816 ----a-w- c:\windows\system32\FreeOTFECypherDES.sys
2010-01-03 21:42:46 29808 ----a-w- c:\windows\system32\FreeOTFECypherCAST6_Gladman.sys
2010-01-03 21:42:46 26480 ----a-w- c:\windows\system32\FreeOTFECypherMARS_Gladman.sys
2010-01-03 21:42:44 31088 ----a-w- c:\windows\system32\FreeOTFECypherCAST5.sys
2010-01-03 21:42:44 25200 ----a-w- c:\windows\system32\FreeOTFECypherBlowfish.sys
2010-01-03 21:42:42 47216 ----a-w- c:\windows\system32\FreeOTFECypherAES_ltc.sys
2010-01-03 21:42:40 31856 ----a-w- c:\windows\system32\FreeOTFE.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2007-07-28 21:26:54 160 ----a-w- c:\program files\INSTALL.LOG
2004-03-11 17:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 20:21:16.85 ===============

Here is a Spybot Log that I ran two days back


Fraud.ActiveSecurity: [SBI $D4BA6A8C] Settings (Registry value, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (
2009-01-26 SDFiles.exe (
2009-01-26 SDMain.exe (
2009-01-26 SDShred.exe (
2009-01-26 SDUpdate.exe (
2009-01-26 SpybotSD.exe (
2009-03-05 TeaTimer.exe (
2009-07-08 unins000.exe (
2009-01-26 Update.exe (
2009-11-04 advcheck.dll (
2007-04-02 aports.dll (
2008-06-14 DelZip179.dll (
2009-01-26 SDHelper.dll (
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (
2009-01-16 UninsSrv.dll (
2009-10-08 Includes\Adware.sbi (*)
2010-01-12 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-12 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-01-12 Includes\HijackersC.sbi (*)
2009-12-15 Includes\Keyloggers.sbi (*)
2010-01-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-12-30 Includes\Malware.sbi (*)
2010-01-12 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-01-12 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-01-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2010-01-12 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi (*)
2010-01-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Here is another log from Anti-Virus Scanner. from yesterday.

"Scan ""Scan whole computer"" was finished."
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Friday, January 22, 2010, 6:48:41 PM"
"Scan finished:";"Friday, January 22, 2010, 9:55:01 PM (3 hour(s) 6 minute(s) 19 second(s))"
"Total object scanned:";"626504"
"User who launched the scan:";"Administrator"

"C:\Documents and Settings\GTB\Local Settings\Temp\mmzF.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz2A.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz14.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz11.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\VMGMO1DX\kids[1].htm";"Virus found Exploit";"Moved to

Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\VMGMO1DX\Beg_Sound_M[1].htm";"Virus found Exploit";"Moved

to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet

Files\Content.IE5\QVLL241E\z002102801r0409J0b000601R0143fdeeX76086a53Y3d5bf217Z03007f3530dP000501080[1]";"Trojan horse Vundo.JZ";"Moved to

Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\OAS2QPIJ\FlowerM[1].htm";"Virus found Exploit";"Moved to

Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet

Files\Content.IE5\C5BC9ZC3\z002102318801r0409J0b000601R0143fdeeX76086a5fY3d5bf217Z03007f350[1]";"Trojan horse Vundo.JZ";"Moved to Virus

"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\65I1XS7J\matrubhasha_com[1].htm";"Virus found

Exploit";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Application Data\Malware Defense\uninstall.exe";"Trojan horse Generic16.BXI";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Application Data\Malware Defense\mdext.dll";"Trojan horse Downloader.Zlob.AQLT";"Moved to Virus Vault"

"C:\Program Files\Pinnacle\Studio 8\OEM\hhupd.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""


Attached Files

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:05:50 PM

Posted 25 January 2010 - 11:00 PM

Hello dhurandar smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.

I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I need for you to perform the following:

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files

Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:05:50 PM

Posted 30 January 2010 - 10:34 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users