Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijack when loggin into Ebay


  • This topic is locked This topic is locked
44 replies to this topic

#1 CuttyVert

CuttyVert

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 27 January 2010 - 08:59 PM

I'm running XP professional, Avast home version and Spybot. I also use the firewall in XP. A couple of weeks ago i was sent to a page requesting all sorts of info (ssn, credit card, checking acct etc) when I logged into Ebay. The computer slowed down after this and locked up. I ran Spybot and Avast and found some nasties which were removed. Things went well for a few days and then the redirect happened again. Spybot and Avast can't find anything even though they are updated with the latest detections.
Darthy gave me some suggestions. In safe mode Avast took over 15 hours to run the in depth check, but Spybot ran faster than it ever has. Neither one found anything. I downloaded Cobian and backed everything up to an external hard drive. I then ran DSS and RootRepeal. RootRepeal had an error when it started:

20:43:05: Error - invalid PE image found!
20:43:05: Error - invalid PE image found!

but ran after I clicked OK. Here is the DSS.txt log. The Attach.txt and Ark.txt files are attached.


DDS (Ver_09-12-01.01) - NTFSx86
Run by _______ at 19:54:20.67 on Wed 01/27/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.211 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100127-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
G:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\LEXPPS.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
svchost.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\WINDOWS\system32\MsPMSPSv.exe
G:\WINDOWS\Anvshell.exe
G:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Lexmark X5100 Series\lxbabmon.exe
G:\Documents and Settings\Ken Tousley\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\Greetings Workshop\GWREMIND.EXE
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe
G:\Program Files\Cobian Backup 8\Cobian.exe
G:\Program Files\Cobian Backup 8\cbInterface.exe
G:\Documents and Settings\Ken Tousley\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - g:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - g:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] g:\documents and settings\ken tousley\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [SpybotSD TeaTimer] g:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "g:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Anvshell] g:\windows\Anvshell.exe
mRun: [RoxioEngineUtility] "g:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "g:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "g:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [Lexmark X5100 Series] "g:\program files\lexmark x5100 series\lxbabmgr.exe"
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] g:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "g:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "g:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Picasa Media Detector] g:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: g:\docume~1\kentou~1\startm~1\programs\startup\greeti~1.lnk - g:\program files\greetings workshop\GWREMIND.EXE
IE: E&xport to Microsoft Excel - g:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\kentou~1\applic~1\mozilla\firefox\profiles\vsotmeyq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - eMusic Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: g:\documents and settings\ken tousley\application data\mozilla\firefox\profiles\vsotmeyq.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: g:\documents and settings\ken tousley\application data\mozilla\firefox\profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\MyComponent.dll
FF - plugin: g:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: g:\program files\musicnotes\npmusicn.dll
FF - plugin: g:\program files\musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;g:\windows\system32\drivers\aswSP.sys [2008-11-21 114768]
R2 aswFsBlk;aswFsBlk;g:\windows\system32\drivers\aswFsBlk.sys [2008-11-21 20560]
R2 avast! Antivirus;avast! Antivirus;g:\program files\alwil software\avast4\ashServ.exe [2008-11-21 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;g:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-21 254040]
R3 avast! Web Scanner;avast! Web Scanner;g:\program files\alwil software\avast4\ashWebSv.exe [2008-11-21 352920]
R3 WsAudioDevice_383;WsAudioDevice_383;g:\windows\system32\drivers\WsAudioDevice_383.sys [2009-8-29 16640]
S3 motccgp;Motorola USB Composite Device Driver;g:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;g:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

=============== Created Last 30 ================

2010-01-28 00:17:07 0 d-----w- g:\program files\Cobian Backup 8
2010-01-12 01:54:43 1089593 -c----w- g:\windows\system32\dllcache\ntprint.cat
2010-01-11 22:17:46 73616 ----a-w- g:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 03:44:35 0 d-----w- g:\windows\system32\XPSViewer
2010-01-11 03:43:25 89088 -c----w- g:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-11 03:43:25 597504 -c----w- g:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-11 03:43:25 575488 -c----w- g:\windows\system32\dllcache\xpsshhdr.dll
2010-01-11 03:43:25 575488 ------w- g:\windows\system32\xpsshhdr.dll
2010-01-11 03:43:25 117760 ------w- g:\windows\system32\prntvpt.dll
2010-01-11 03:43:23 1676288 -c----w- g:\windows\system32\dllcache\xpssvcs.dll
2010-01-11 03:43:23 1676288 ------w- g:\windows\system32\xpssvcs.dll
2010-01-08 03:27:15 0 d-----w- g:\docume~1\alluse~1\applic~1\MemeoCommon
2010-01-08 03:22:00 0 d-----w- g:\program files\Picasa2
2010-01-08 03:18:08 0 d-----w- g:\program files\Western Digital
2010-01-08 03:17:18 0 d-----w- g:\program files\common files\eSellerate
2010-01-08 03:11:44 0 d-----w- g:\program files\Western Digital Corporation
2010-01-08 03:11:37 20992 ----a-w- g:\windows\jestertb.dll
2010-01-03 17:51:02 96512 ------w- g:\windows\system32\drivers\trz1E.tmp
2010-01-03 17:34:59 96512 ----a-w- g:\windows\system32\drivers\atapi.sys
2010-01-01 18:42:46 0 d-----w- g:\program files\Amazon

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- g:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- g:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- g:\windows\system32\corpol.dll

============= FINISH: 19:55:40.68 ===============


Thanks in advance for your helpAttached File  ark.txt   4.92KB   18 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 04 February 2010 - 09:40 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 04 February 2010 - 06:51 PM

Thank you in advance for your help. Here are the logs (DDS, Attach and GMER). Just in case you are wondering, my operating system is installed on the drive named G. It just kindof end up that way a couple of years ago when I had to reinstall XP and added another hard drive.

_______________________________________________________________________________________________________________

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ken Tousley at 17:50:39.00 on Thu 02/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.97 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100204-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
G:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\LEXPPS.EXE
G:\WINDOWS\system32\spoolsv.exe
svchost.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\WINDOWS\system32\MsPMSPSv.exe
G:\WINDOWS\Anvshell.exe
G:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Lexmark X5100 Series\lxbabmon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Documents and Settings\Ken Tousley\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\Greetings Workshop\GWREMIND.EXE
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Documents and Settings\Ken Tousley\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - g:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - g:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] g:\documents and settings\ken tousley\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [SpybotSD TeaTimer] g:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "g:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Anvshell] g:\windows\Anvshell.exe
mRun: [RoxioEngineUtility] "g:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "g:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "g:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [Lexmark X5100 Series] "g:\program files\lexmark x5100 series\lxbabmgr.exe"
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] g:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "g:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "g:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Picasa Media Detector] g:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: g:\docume~1\kentou~1\startm~1\programs\startup\greeti~1.lnk - g:\program files\greetings workshop\GWREMIND.EXE
IE: E&xport to Microsoft Excel - g:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\kentou~1\applic~1\mozilla\firefox\profiles\vsotmeyq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - eMusic Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: g:\documents and settings\ken tousley\application data\mozilla\firefox\profiles\vsotmeyq.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: g:\documents and settings\ken tousley\application data\mozilla\firefox\profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\MyComponent.dll
FF - plugin: g:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: g:\program files\musicnotes\npmusicn.dll
FF - plugin: g:\program files\musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;g:\windows\system32\drivers\aswSP.sys [2008-11-21 114768]
R2 aswFsBlk;aswFsBlk;g:\windows\system32\drivers\aswFsBlk.sys [2008-11-21 20560]
R2 avast! Antivirus;avast! Antivirus;g:\program files\alwil software\avast4\ashServ.exe [2008-11-21 138680]
R3 WsAudioDevice_383;WsAudioDevice_383;g:\windows\system32\drivers\WsAudioDevice_383.sys [2009-8-29 16640]
S3 avast! Mail Scanner;avast! Mail Scanner;g:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-21 254040]
S3 avast! Web Scanner;avast! Web Scanner;g:\program files\alwil software\avast4\ashWebSv.exe [2008-11-21 352920]
S3 motccgp;Motorola USB Composite Device Driver;g:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;g:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

=============== Created Last 30 ================

2010-01-28 00:17:07 0 d-----w- g:\program files\Cobian Backup 8
2010-01-12 01:54:43 1089593 -c----w- g:\windows\system32\dllcache\ntprint.cat
2010-01-11 22:17:46 73616 ----a-w- g:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 03:44:35 0 d-----w- g:\windows\system32\XPSViewer
2010-01-11 03:43:25 89088 -c----w- g:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-11 03:43:25 597504 -c----w- g:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-11 03:43:25 575488 -c----w- g:\windows\system32\dllcache\xpsshhdr.dll
2010-01-11 03:43:25 575488 ------w- g:\windows\system32\xpsshhdr.dll
2010-01-11 03:43:25 117760 ------w- g:\windows\system32\prntvpt.dll
2010-01-11 03:43:23 1676288 -c----w- g:\windows\system32\dllcache\xpssvcs.dll
2010-01-11 03:43:23 1676288 ------w- g:\windows\system32\xpssvcs.dll
2010-01-08 03:27:15 0 d-----w- g:\docume~1\alluse~1\applic~1\MemeoCommon
2010-01-08 03:22:00 0 d-----w- g:\program files\Picasa2
2010-01-08 03:18:08 0 d-----w- g:\program files\Western Digital
2010-01-08 03:17:18 0 d-----w- g:\program files\common files\eSellerate
2010-01-08 03:11:44 0 d-----w- g:\program files\Western Digital Corporation
2010-01-08 03:11:37 20992 ----a-w- g:\windows\jestertb.dll

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- g:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- g:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- g:\windows\system32\corpol.dll
2010-01-03 17:51:04 96512 ------w- g:\windows\system32\drivers\trz1E.tmp
2010-01-03 17:34:48 96512 ----a-w- g:\windows\system32\drivers\atapi.sys

============= FINISH: 17:51:12.95 ===============
_______________________________________________________________________________________________________________________

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/18/2008 10:22:50 PM
System Uptime: 2/4/2010 5:29:44 PM (0 hours ago)

Motherboard: MICRO-STAR INC. | | MS-6728
Processor: Intel® Pentium® 4 CPU 2.66GHz | FC-478 | 2654/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 30 GiB total, 28.603 GiB free.
D: is FIXED (NTFS) - 45 GiB total, 20.479 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 29 GiB total, 13.146 GiB free.
H: is FIXED (NTFS) - 120 GiB total, 77.203 GiB free.
I: is FIXED (FAT32) - 466 GiB total, 439.177 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP373: 12/20/2009 1:06:13 AM - System Checkpoint
RP374: 12/21/2009 2:14:32 AM - System Checkpoint
RP375: 12/22/2009 3:13:51 AM - System Checkpoint
RP376: 12/23/2009 4:13:51 AM - System Checkpoint
RP377: 12/24/2009 4:14:00 AM - System Checkpoint
RP378: 12/25/2009 5:14:00 AM - System Checkpoint
RP379: 12/26/2009 10:05:13 AM - System Checkpoint
RP380: 12/27/2009 10:49:14 AM - System Checkpoint
RP381: 12/28/2009 11:49:13 AM - System Checkpoint
RP382: 12/29/2009 12:41:50 PM - System Checkpoint
RP383: 12/30/2009 12:58:41 PM - System Checkpoint
RP384: 12/31/2009 12:58:49 PM - System Checkpoint
RP385: 1/1/2010 2:26:13 PM - System Checkpoint
RP386: 1/2/2010 3:06:44 PM - System Checkpoint
RP387: 1/3/2010 4:00:23 PM - System Checkpoint
RP388: 1/4/2010 4:37:30 PM - System Checkpoint
RP389: 1/5/2010 4:52:13 PM - System Checkpoint
RP390: 1/6/2010 5:20:33 PM - System Checkpoint
RP391: 1/7/2010 6:34:04 PM - System Checkpoint
RP392: 1/9/2010 9:13:26 AM - System Checkpoint
RP393: 1/10/2010 9:48:51 AM - System Checkpoint
RP394: 1/10/2010 10:31:02 PM - Software Distribution Service 3.0
RP395: 1/11/2010 5:14:07 PM - Printer Driver Microsoft XPS Document Writer Installed
RP396: 1/11/2010 8:55:52 PM - Software Distribution Service 3.0
RP397: 1/13/2010 6:22:14 AM - Software Distribution Service 3.0
RP398: 1/14/2010 9:20:32 PM - System Checkpoint
RP399: 1/20/2010 11:27:41 AM - System Checkpoint
RP400: 1/21/2010 12:03:22 PM - System Checkpoint
RP401: 1/21/2010 8:01:35 PM - Software Distribution Service 3.0
RP402: 1/22/2010 9:47:27 PM - System Checkpoint
RP403: 1/23/2010 10:04:38 PM - System Checkpoint
RP404: 1/24/2010 10:06:32 PM - System Checkpoint
RP405: 1/27/2010 6:26:58 PM - System Checkpoint
RP406: 1/28/2010 6:27:48 PM - System Checkpoint
RP407: 1/31/2010 5:56:15 PM - System Checkpoint
RP408: 2/2/2010 8:09:00 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Amazon MP3 Downloader 1.0.9
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
Cobian Backup 8
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Data Lifeguard Diagnostic for Windows
Easy CD & DVD Creator 6
eMusic Download Manager 4.1.3.1
FaxTools
Google Toolbar for Internet Explorer
Greetings Workshop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
iTunes
Java™ 6 Update 16
Lexmark X5100 Series
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 4.5
Mozilla Firefox (3.5.7)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicnotes Software Suite 1.1
Picasa 2
Sansa Updater
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Walmart MP3 Music Downloads
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Wondershare Streaming Audio Recorder(Build 1.0.4.0)

==== End Of File ===========================
_______________________________________________________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 18:38:19
Windows 5.1.2600 Service Pack 3
Running: 7fczb42r.exe; Driver: G:\DOCUME~1\KENTOU~1\LOCALS~1\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF59166B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5916574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5916A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF591614C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF591664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF591608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF59160F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF591676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF591672E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF59168AE]

---- User code sections - GMER 1.0.15 ----

.text G:\Program Files\Mozilla Firefox\firefox.exe[200] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 06A028F0 G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\ShareMem.dll
.text G:\Program Files\Mozilla Firefox\firefox.exe[200] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 06A02AF0 G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\ShareMem.dll
.text G:\Program Files\Bonjour\mDNSResponder.exe[452] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007D28F5
.text G:\Program Files\Bonjour\mDNSResponder.exe[452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007D2781
.text G:\Program Files\Bonjour\mDNSResponder.exe[452] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007D2873
.text G:\Program Files\Bonjour\mDNSResponder.exe[452] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007D27B9
.text G:\Program Files\Bonjour\mDNSResponder.exe[452] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007D27F1
.text G:\WINDOWS\Explorer.EXE[612] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 015428F5
.text G:\WINDOWS\Explorer.EXE[612] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01542781
.text G:\WINDOWS\Explorer.EXE[612] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01542873
.text G:\WINDOWS\Explorer.EXE[612] WS2_32.dll!recv 71AB676F 5 Bytes JMP 015427B9
.text G:\WINDOWS\Explorer.EXE[612] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 015427F1
.text G:\Program Files\Alwil Software\Avast4\ashServ.exe[1572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 022328F5
.text G:\Program Files\Alwil Software\Avast4\ashServ.exe[1572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02232781
.text G:\Program Files\Alwil Software\Avast4\ashServ.exe[1572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02232873
.text G:\Program Files\Alwil Software\Avast4\ashServ.exe[1572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 022327B9
.text G:\Program Files\Alwil Software\Avast4\ashServ.exe[1572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 022327F1
.text G:\WINDOWS\system32\LEXBCES.EXE[1772] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C428F5
.text G:\WINDOWS\system32\LEXBCES.EXE[1772] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C42781
.text G:\WINDOWS\system32\LEXBCES.EXE[1772] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C42873
.text G:\WINDOWS\system32\LEXBCES.EXE[1772] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C427B9
.text G:\WINDOWS\system32\LEXBCES.EXE[1772] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C427F1
.text G:\WINDOWS\system32\LEXPPS.EXE[1812] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019328F5
.text G:\WINDOWS\system32\LEXPPS.EXE[1812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01932781
.text G:\WINDOWS\system32\LEXPPS.EXE[1812] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01932873
.text G:\WINDOWS\system32\LEXPPS.EXE[1812] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019327B9
.text G:\WINDOWS\system32\LEXPPS.EXE[1812] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019327F1
.text G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe[2200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 028B28F5
.text G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe[2200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 028B2781
.text G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe[2200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 028B2873
.text G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe[2200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 028B27B9
.text G:\Documents and Settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\DownloadYh.exe[2200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 028B27F1
.text G:\Program Files\iTunes\iTunesHelper.exe[2392] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FE28F5
.text G:\Program Files\iTunes\iTunesHelper.exe[2392] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FE2781
.text G:\Program Files\iTunes\iTunesHelper.exe[2392] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FE2873
.text G:\Program Files\iTunes\iTunesHelper.exe[2392] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FE27B9
.text G:\Program Files\iTunes\iTunesHelper.exe[2392] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FE27F1
.text G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2404] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A328F5
.text G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2404] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A32781
.text G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2404] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A32873
.text G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2404] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A327B9
.text G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2404] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A327F1
.text G:\Program Files\Java\jre6\bin\jusched.exe[2420] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CA28F5
.text G:\Program Files\Java\jre6\bin\jusched.exe[2420] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CA2781
.text G:\Program Files\Java\jre6\bin\jusched.exe[2420] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CA2873
.text G:\Program Files\Java\jre6\bin\jusched.exe[2420] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CA27B9
.text G:\Program Files\Java\jre6\bin\jusched.exe[2420] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CA27F1
.text G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2652] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FD28F5
.text G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2652] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FD2781
.text G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2652] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FD2873
.text G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2652] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FD27B9
.text G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2652] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FD27F1
.text G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D528F5
.text G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D52781
.text G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D52873
.text G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D527B9
.text G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D527F1
.text G:\Program Files\iPod\bin\iPodService.exe[3196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text G:\Program Files\iPod\bin\iPodService.exe[3196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text G:\Program Files\iPod\bin\iPodService.exe[3196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text G:\Program Files\iPod\bin\iPodService.exe[3196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text G:\Program Files\iPod\bin\iPodService.exe[3196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1
.text G:\WINDOWS\System32\alg.exe[3336] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text G:\WINDOWS\System32\alg.exe[3336] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text G:\WINDOWS\System32\alg.exe[3336] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text G:\WINDOWS\System32\alg.exe[3336] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text G:\WINDOWS\System32\alg.exe[3336] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1

---- User IAT/EAT - GMER 1.0.15 ----

IAT G:\WINDOWS\system32\services.exe[752] @ G:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT G:\WINDOWS\system32\services.exe[752] @ G:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000042 8271ABB8
Device \Driver\ACPI \Device\00000044 8271ABB8
Device \Driver\ACPI \Device\00000045 8271ABB8
Device \Driver\ACPI \Device\00000046 8271ABB8
Device \Driver\ACPI \Device\00000060 8271ABB8
Device \Driver\ACPI \Device\00000054 8271ABB8
Device \Driver\ACPI \Device\00000047 8271ABB8
Device \Driver\ACPI \Device\00000061 8271ABB8
Device \Driver\ACPI \Device\00000048 8271ABB8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000062 8271ABB8
Device \Driver\ACPI \Device\00000049 8271ABB8
Device \Driver\ACPI \Device\00000057 8271ABB8
Device \Driver\ACPI \Device\00000063 8271ABB8
Device \Driver\ACPI \Device\00000058 8271ABB8
Device \Driver\ACPI \Device\00000059 8271ABB8
Device \Driver\ACPI \Device\0000004b 8271ABB8
Device \Driver\ACPI \Device\0000005a 8271ABB8
Device \Driver\ACPI \Device\0000005b 8271ABB8
Device \Driver\ACPI \Device\0000005c 8271ABB8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\0000005d 8271ABB8

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Thanks again and I look forward to hearing from you (hopefully with good news!)

Ken

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 05 February 2010 - 08:08 AM

Hello CuttyVert,

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 05 February 2010 - 05:55 PM

Hello again. Here is the Combofix log:

ComboFix 10-02-05.02 - Ken Tousley 02/05/2010 17:43:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.272 [GMT -5:00]
Running from: g:\documents and settings\Ken Tousley\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100205-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\jestertb.dll
g:\windows\system32\E95THK16.EXE
g:\windows\system32\encapi32.dll
I:\Autorun.inf

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-01-28 00:17 . 2010-01-28 00:17 -------- d-----w- g:\program files\Cobian Backup 8
2010-01-25 01:59 . 2010-01-25 01:59 -------- d-----w- g:\program files\Microsoft Works
2010-01-11 22:17 . 2010-01-11 22:17 73616 ----a-w- g:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 03:44 . 2010-01-11 03:44 -------- d-----w- g:\windows\system32\XPSViewer
2010-01-11 03:44 . 2010-01-11 03:44 -------- d-----w- g:\program files\MSBuild
2010-01-11 03:44 . 2010-01-11 03:44 -------- d-----w- g:\program files\Reference Assemblies
2010-01-11 03:43 . 2008-07-06 12:06 89088 ----a-w- g:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-11 03:43 . 2008-07-06 12:06 89088 -c----w- g:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-11 03:43 . 2008-07-06 12:06 575488 -c----w- g:\windows\system32\dllcache\xpsshhdr.dll
2010-01-11 03:43 . 2008-07-06 12:06 575488 ------w- g:\windows\system32\xpsshhdr.dll
2010-01-11 03:43 . 2008-07-06 12:06 117760 ------w- g:\windows\system32\prntvpt.dll
2010-01-11 03:43 . 2008-07-06 10:50 597504 -c----w- g:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-11 03:43 . 2008-07-06 10:50 597504 ------w- g:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-11 03:43 . 2008-07-06 12:06 1676288 -c----w- g:\windows\system32\dllcache\xpssvcs.dll
2010-01-11 03:43 . 2008-07-06 12:06 1676288 ------w- g:\windows\system32\xpssvcs.dll
2010-01-09 13:44 . 2010-01-09 13:44 -------- d-----w- g:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-01-08 03:27 . 2010-01-08 03:27 -------- d-----w- g:\documents and settings\All Users\Application Data\MemeoCommon
2010-01-08 03:22 . 2010-01-08 03:22 -------- d-----w- g:\program files\Picasa2
2010-01-08 03:18 . 2010-01-08 03:18 -------- d-----w- g:\program files\Western Digital
2010-01-08 03:17 . 2010-01-08 03:17 -------- d-----w- g:\documents and settings\Ken Tousley\Local Settings\Application Data\temp
2010-01-08 03:17 . 2010-01-08 03:25 -------- d-----w- g:\program files\Common Files\eSellerate
2010-01-08 03:11 . 2010-01-08 03:11 -------- d-----w- g:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 22:24 . 2008-11-20 00:59 -------- d-----w- g:\program files\Greetings Workshop
2010-01-26 01:50 . 2008-11-20 00:19 -------- d-----w- g:\program files\Mozilla Thunderbird
2010-01-13 11:11 . 2008-11-21 02:16 -------- d-----w- g:\program files\Google
2010-01-11 22:16 . 2008-12-21 22:03 73616 -c--a-w- g:\documents and settings\Ken Tousley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-10 03:52 . 2008-11-20 02:59 -------- d-----w- g:\documents and settings\Ken Tousley\Application Data\Roxio
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- g:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- g:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- g:\windows\system32\corpol.dll
2010-01-03 23:51 . 2008-11-20 01:10 -------- d-----w- g:\program files\Lexmark X5100 Series
2010-01-03 17:51 . 2010-01-03 17:51 96512 ------w- g:\windows\system32\drivers\trz1E.tmp
2010-01-03 17:34 . 2010-01-03 17:34 96512 ----a-w- g:\windows\system32\drivers\atapi.sys
2010-01-01 18:43 . 2010-01-01 18:43 -------- d-----w- g:\documents and settings\Ken Tousley\Application Data\Amazon
2010-01-01 18:42 . 2010-01-01 18:42 -------- d-----w- g:\program files\Amazon
2009-12-19 19:34 . 2008-11-21 02:22 -------- d-----w- g:\program files\Common Files\Adobe
2009-12-19 00:43 . 2009-12-19 00:43 79488 ----a-w- g:\documents and settings\Ken Tousley\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 23:54 . 2008-11-22 03:02 1280480 ----a-w- g:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-11-22 03:02 93424 ----a-w- g:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-11-22 03:02 94160 ----a-w- g:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-11-22 03:02 114768 ----a-w- g:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-11-22 03:02 20560 ----a-w- g:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-11-22 03:02 48560 ----a-w- g:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-11-22 03:02 23120 ----a-w- g:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-11-22 03:02 27408 ----a-w- g:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-11-22 03:02 97480 ----a-w- g:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- g:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="g:\documents and settings\Ken Tousley\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-11-21 79872]
"swg"="g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anvshell"="g:\windows\Anvshell.exe" [2002-10-22 331776]
"RoxioEngineUtility"="g:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="g:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 868352]
"RoxioAudioCentral"="g:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"Lexmark X5100 Series"="g:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-03 86102]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="g:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2009-10-19 149280]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Picasa Media Detector"="g:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]

g:\documents and settings\Ken Tousley\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - g:\program files\Greetings Workshop\GWREMIND.EXE [1997-9-4 50688]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\WINDOWS\\system32\\LEXPPS.EXE"=
"g:\\Documents and Settings\\Ken Tousley\\Application Data\\Mozilla\\Firefox\\Profiles\\vsotmeyq.default\\extensions\\yahoodownloader@gmail.com\\components\\DownloadYh.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6613:TCP"= 6613:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3348:TCP"= 3348:TCP:Services

R1 aswSP;avast! Self Protection;g:\windows\system32\drivers\aswSP.sys [11/21/2008 10:02 PM 114768]
R2 aswFsBlk;aswFsBlk;g:\windows\system32\drivers\aswFsBlk.sys [11/21/2008 10:02 PM 20560]
R3 WsAudioDevice_383;WsAudioDevice_383;g:\windows\system32\drivers\WsAudioDevice_383.sys [8/29/2009 8:18 PM 16640]
S3 motccgp;Motorola USB Composite Device Driver;g:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;g:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - g:\documents and settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - eMusic Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: g:\documents and settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: g:\documents and settings\Ken Tousley\Application Data\Mozilla\Firefox\Profiles\vsotmeyq.default\extensions\yahoodownloader@gmail.com\components\MyComponent.dll
FF - plugin: g:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: g:\program files\Musicnotes\npmusicn.dll
FF - plugin: g:\program files\Musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 17:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = g:\documents and settings\Ken Tousley\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?content-complementary%253ftype%253dcontent%2526contentid%253dMSANSA124410466935213%2526version%

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82BC4C90]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8628f28
\Driver\ACPI -> 0x82bc4c90
\Driver\atapi -> atapi.sys @ 0xf844d852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x82540330
PacketIndicateHandler -> NDIS.sys @ 0xf8353a21
SendHandler -> NDIS.sys @ 0xf833187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-02-05 17:49:13
ComboFix-quarantined-files.txt 2010-02-05 22:49

Pre-Run: 14,076,846,080 bytes free
Post-Run: 14,243,483,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D2A30678AD45ECC77639B7CDF13D85F0


Thank you,
Ken

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 06 February 2010 - 07:18 AM

Hello,

That looks like we have a rootkit on board ohmy.gif

Please click start > run, and paste the following bolded text in the runbox, press enter

c:\windows\mbr.exe -f

After succesfully running that command, navigate to c:\windows\mbr.exe and double click on it to run it. Afterwards, look for c:\windows\mbr.log and post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 06 February 2010 - 01:57 PM

As Yosemite Sam would say "I hates Rootkits" mad.gif
Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x82ce84d0
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x8254b330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
Use "Recovery Console" command "fixmbr" to clear infection !

I hope we can get rid of this little bugger!

thanks,
Ken

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 06 February 2010 - 02:44 PM

Before we continue, I need to know if you have any other Operating Systems (windows or linux) installed on any of your drives/partitions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 February 2010 - 02:38 PM

No, the only operating system is Windows XP Professional on the G Drive. The C, D and H drives are documents, music and photos. The I drive is an external hard drive for backups.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 07 February 2010 - 02:52 PM

Hello CuttyVert,
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    fixmbr

    Confirm if asked to do so.

  6. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

After this, re-run Combofix (download a new copy and delete the old one) and post me the log.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 February 2010 - 07:47 PM

Hello Elise,
When I restart the computer, I don't get a prompt on which operating system to start. I get a screen with the motherboard info (MSI, pentium4 etc). and then it goes to the login for windows.

I tried pressing F8 while it was loading up (the way you get into safemode etc) but Recovery Console was not an option on the screen that came up.

When I ran Combofix, I'm sure it installed the Recovery Console.

Any ideas?

Thanks,
Ken

#12 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 February 2010 - 08:56 PM

I played with restarting a couple of more times. I hit the arrow key as it was starting and the option for starting in the Recovery Console or Window XP came up. I chose the Recovery Console and got the following error:

"Windows could not start because of a computer disk hardware configuration problem.
Could not read from the selected boot disk. Check boot path and disk hardware.
Please check Windows documentation about hardware disk configuration and your reference manuals for additional information."

Should I try it from the Windows installation disk? huh.gif

thanks again,
Ken

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 08 February 2010 - 03:27 AM

Yes, you can try it from the XP installation disk. After loading, this should give you the option to "press R to repair windows using the Recovery Console".

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 CuttyVert

CuttyVert
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 08 February 2010 - 04:59 PM

I tried running Recovery Console from the XP disk. It told me I couldn't because the version of Windows on the disk is older than the one on the computer.
It then asked if I wanted to add recovery Console to the Startup option. I clicked OK, but it looked like it was going to reinstall XP on the computer. So I canceled the installation.
Now when I start the computer and error message comes up:
Invalid BOOT.INI file
Booting from C:\windows\
It will boot up after that and everything seems to run OK.
Should I try running Combofix again to install Recovery Console, or should I let the installation from the XP disk continue, or something else?

Thank you,
Ken

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:14 PM

Posted 09 February 2010 - 04:23 AM

Try to follow the steps here to rebuild boot.ini file. Most likely you have an invalid line there.

If this does not work with your XP CD let me know and I will give you instructions on how to create a separate Recovery Console boot CD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users