Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect/Popup Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Clerking

Clerking

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 28 January 2010 - 11:31 AM

Hi! Recently our office manager's computer developed a problem which a number of people seem to have solved by coming to this site and following the advice of your experts. Almost every time he clicks on a Google search result he's redirected through several sites to an unrelated ad. When searching for a solution to the problem, he discovered that both Firefox and IE now popup ads for adult education and anti-virus software. It's very frustrating. Please help us.

Our DDS and RootRepeal logs follow:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Assistant1 at 10:45:05.71 on Thu 01/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.66 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Documents and Settings\Assistant1\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.floridabar.org/names.nsf/MESearch?OpenForm
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
mSearchAssistant = hxxp://www.google.com/ie
BHO: Time Matters: {00f17ece-12da-46a0-b541-bde4eb7df027} - c:\tmw7\TMIETB.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Time Matters: {00f17ece-12da-46a0-b541-bde4eb7df027} - c:\tmw7\TMIETB.DLL
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office 11\programs\QFSCHD110.EXE"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [vukinugev] Rundll32.exe "c:\windows\system32\zenoyovo.dll",a
StartupFolder: c:\docume~1\assist~2\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {9239E4EC-C9A6-11D2-A844-00C04F68D538}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: nexis.com
Trusted Zone: tdameritrade.com\www
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} - hxxps://www.lexis.com/dl/IEDAP.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145296642875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {6B012D2E-4DBC-4F05-96FE-07A0D8B454C6} = 205.152.144.23,205.152.132.23
TCP: {6BC6FF29-00F2-4EC8-8507-B3B22F1FE08D} = 205.152.144.23,205.152.132.23
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: sojesinu.dll c:\windows\system32\zenoyovo.dll
SSODL: vejuhibow - {7c823b3b-1efe-4154-a814-56c525c7f1f3} - c:\windows\system32\zenoyovo.dll
STS: mujuzedij: {7c823b3b-1efe-4154-a814-56c525c7f1f3} - c:\windows\system32\zenoyovo.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli jihozutu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\assist~2\applic~1\mozilla\firefox\profiles\ehg7dnpi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.floridabar.org/names.nsf/MESearch?OpenForm
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-25 162640]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-28 214664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-25 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-25 40384]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-1-16 10384]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-12-29 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-28 144704]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-25 40384]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-28 40552]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-8-11 12192]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-28 34248]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2004-2-18 15576]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-01-25 19:47:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-22 15:10:03 0 ----a-w- c:\windows\LogMeIn_uninstall_reboot
2010-01-16 16:17:11 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-01-16 16:16:47 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-01-16 16:16:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-01-16 16:16:27 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-16 16:14:58 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-01-16 16:14:46 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-01-16 16:14:46 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-01-16 16:14:46 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-01-16 16:14:46 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-01-16 15:57:24 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-16 15:57:24 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-16 15:57:18 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-16 15:57:18 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-16 15:57:05 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-01-16 15:57:05 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-30 08:49:42 0 d-----w- c:\program files\NirSoft
2009-12-30 08:34:24 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-12-30 08:34:24 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-12-30 08:33:48 134272 ----a-w- c:\windows\system32\drivers\snman380.sys
2009-12-30 00:28:20 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-12-30 00:28:20 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-12-30 00:28:19 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-12-30 00:27:56 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-12-30 00:27:51 1024 ----a-w- C:\.rnd
2009-12-30 00:27:22 0 d-----w- c:\program files\LogMeIn

==================== Find3M ====================

2010-01-26 02:46:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-26 02:46:39 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-05 18:38:40 14176 ----a-w- c:\windows\system32\relog_ap.dll
2009-11-05 17:13:48 18272 ----a-w- c:\windows\system32\acrotls.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\begepudi.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\fiyusovu.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\hanuzuze.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\jazoloya.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\jihozutu.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\jutogaje.dll
1601-01-01 00:03:28 52224 --sha-w- c:\windows\system32\katihasi.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\newuwiyo.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\noleriji.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\pinadili.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\pukotoyu.dll
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\rimafafu.dll
1601-01-01 00:03:28 95232 --sha-w- c:\windows\system32\ripoduso.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\sojesinu.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\turovepi.dll
1601-01-01 00:03:28 95744 --sha-w- c:\windows\system32\vehuyafa.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\vojedayu.dll
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\vufofeso.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\vupehoga.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\zenoyovo.dll

============= FINISH: 10:51:53.54 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/28 10:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB02F4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_t1umbnb7selylkw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_tecxgduevwmvjxz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_hmhmjqqnonbkc8v
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_orttq5p91yrh0rv
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_qcfkuehpbg8r55h
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\fla33.tmp
Status: Invisible to the Windows API!

Path: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2089\A0242051.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Assistant1\Local Settings\Apps\2.0\WPDGX098.GX2\46V92WET.DAW\manifests\LogMeIn Host Software.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Assistant1\Local Settings\Apps\2.0\WPDGX098.GX2\46V92WET.DAW\manifests\LogMeIn Host Software.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Assistant1\Local Settings\Apps\2.0\WPDGX098.GX2\46V92WET.DAW\manifests\LogMeInBootstrapper.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Assistant1\Local Settings\Apps\2.0\WPDGX098.GX2\46V92WET.DAW\manifests\LogMeInBootstrapper.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104bbc

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104a78

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba10502c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104f56

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba10464e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104b52

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba10458e

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba1045f2

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104c72

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba1050fa

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104c32

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba104db2

==EOF==


Many thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:51 AM

Posted 05 February 2010 - 03:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:51 AM

Posted 10 February 2010 - 06:49 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users