Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log for Firefox search bar redirects randomly


  • This topic is locked This topic is locked
18 replies to this topic

#1 covalesj

covalesj

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 28 February 2010 - 08:02 PM

Also, attach.txt is zipped and attached
DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 19:54:32.08 on Sun 02/28/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1826 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Program Files\Jetico\BCWipe\BCWipeSvc.exe
C:\WINNT\system32\svchost -k DcomLaunch
C:\Program Files\Jetico\BCWipe\BCWipeTM.exe
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Jetico\BCWipe\BCResident.exe
C:\Program Files\Jetico\BCWipe\BCWipeTM.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Synchronization Manager] mobsync.exee /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exee /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
Trusted Zone: bluestonecomm.com\mail
Trusted Zone: intuit.com\ttlc
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175555945859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161297752968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38252.6890393519
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pg076cid.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8888
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ZetSFD;ZetSFD;c:\winnt\system32\drivers\ZetSFD.sys [2009-6-28 12800]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2010-2-28 360584]
R1 fsh;fsh;c:\winnt\system32\drivers\fsh.sys [2009-7-23 38592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 VBoxDrv;VirtualBox Service;c:\winnt\system32\drivers\VBoxDrv.sys [2010-1-3 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\winnt\system32\drivers\VBoxUSBMon.sys [2010-1-3 41616]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-28 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
R2 BCWipeSvc;BCWipe service;c:\program files\jetico\bcwipe\BCWipeSvc.exe [2009-11-10 95544]
R2 epcpuid;epcpuid;c:\winnt\system32\drivers\epcpuid.SYS [2007-4-8 2816]
R2 GetBINFile;GetBINFile;c:\winnt\system32\drivers\GetBinFile.SYS [2007-4-8 3200]
R2 hwmdr;hwmdr;c:\winnt\system32\drivers\hwmdr.SYS [2007-4-8 12800]
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\winnt\system32\drivers\sfsz.sys [2009-6-28 345984]
R2 Z-SANService;Z-SAN Service;c:\program files\netgear\netgear storage central manager utility\Z-SANService.exe [2009-6-28 376891]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\winnt\system32\drivers\VBoxNetAdp.sys [2009-12-17 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\winnt\system32\drivers\VBoxNetFlt.sys [2009-12-17 110096]
R3 ZetBus;Zetera Virtual Bus;c:\winnt\system32\drivers\ZetBus.sys [2009-6-28 15488]
R3 ZetMPD;ZetMPD;c:\winnt\system32\drivers\ZetMPD.sys [2009-6-28 5120]
S3 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\winnt\system32\drivers\rt2870.sys --> c:\winnt\system32\drivers\rt2870.sys [?]
S3 RTLE8023;Realtek 10/100/1000 PCI-E NIC Family NT Driver;c:\winnt\system32\drivers\Rtenic.sys [2006-10-16 83712]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-9-23 49776]
S4 BCSWAP;BCSWAP;c:\winnt\system32\drivers\bcswap.sys [2009-7-23 91496]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2009-3-18 68096]

=============== Created Last 30 ================

2010-02-28 22:47:02 0 d-----w- c:\program files\ESET
2010-02-28 20:19:12 0 d--h--w- C:\$AVG
2010-02-28 20:18:58 12464 ----a-w- c:\winnt\system32\avgrsstx.dll
2010-02-28 20:18:57 360584 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2010-02-28 20:18:53 333192 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2010-02-28 20:18:42 0 d-----w- c:\winnt\system32\drivers\Avg
2010-02-28 20:18:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-27 16:59:12 0 d-----w- C:\ofx
2010-02-27 16:05:20 0 d-----w- C:\comfix
2010-02-27 13:35:09 230808 ----a-r- c:\winnt\system32\cpnprt2.cid
2010-02-27 13:35:01 0 d-----w- c:\program files\Coupons
2010-02-24 01:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-24 01:37:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 01:37:24 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-02-24 01:37:01 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-24 01:19:36 77312 ----a-w- c:\winnt\MBR.exe
2010-02-24 00:58:40 0 d-----w- c:\program files\CCleaner
2010-02-21 23:25:00 0 d-----w- c:\winnt\Entropia Universe
2010-02-21 21:52:56 0 d-----w- c:\docume~1\admini~1\applic~1\NeroDigital™
2010-02-21 21:47:57 0 d-----w- c:\program files\Entropia Universe
2010-02-21 19:06:12 69 ----a-w- c:\winnt\NeroDigital.ini
2010-02-21 18:48:09 0 d-----w- c:\program files\Nero
2010-02-21 18:47:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-02-21 14:49:41 0 d-----w- C:\movies
2010-02-20 22:33:02 0 d-----w- C:\virtualdub
2010-02-20 20:38:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Panasonic
2010-02-20 20:35:28 77824 ----a-w- c:\winnt\system32\PAvFilt.dll
2010-02-20 20:35:28 36864 ----a-w- c:\winnt\system32\DvWrite.dll
2010-02-20 20:35:28 36864 ----a-w- c:\winnt\system32\DvRead.dll
2010-02-20 20:35:28 253952 ----a-w- c:\winnt\system32\PCodec.dll
2010-02-20 20:35:17 0 d-----w- c:\program files\common files\Panasonic
2010-02-20 20:33:21 26368 -c--a-w- c:\winnt\system32\dllcache\usbstor.sys
2010-02-20 20:33:09 20992 -c--a-w- c:\winnt\system32\dllcache\dshowext.ax
2010-02-20 20:33:09 20992 ----a-w- c:\winnt\system32\dshowext.ax
2010-02-03 22:42:49 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-12-17 20:02:34 133648 ----a-w- c:\winnt\system32\VBoxNetFltNotify.dll
2009-12-14 20:21:48 52424 ----a-w- c:\winnt\fonts\QT2M_P.TTF
2009-12-14 20:21:48 35632 ----a-w- c:\winnt\fonts\QT2_I.TTF
2009-12-14 20:21:48 35064 ----a-w- c:\winnt\fonts\QT2C_P.TTF
2009-12-14 20:21:48 32764 ----a-w- c:\winnt\fonts\QT2C_B.TTF
2009-12-14 20:21:48 32012 ----a-w- c:\winnt\fonts\QT2C_I.TTF
2009-12-14 20:21:48 31276 ----a-w- c:\winnt\fonts\QT2_B.TTF
2009-12-14 20:21:48 30892 ----a-w- c:\winnt\fonts\QT2_P.TTF
2009-12-14 20:21:48 28532 ----a-w- c:\winnt\fonts\OCRA2_P.TTF
2009-12-14 20:21:48 24612 ----a-w- c:\winnt\fonts\OCRBMT.TTF
2009-12-14 20:21:48 20900 ----a-w- c:\winnt\fonts\QT2PI_P.TTF
2009-12-14 20:21:48 1716297 ----a-w- c:\winnt\system32\InetClnt.dll
2009-12-10 03:54:07 261632 ----a-w- c:\winnt\PEV.exe
2004-09-23 23:16:12 271 --sh--w- c:\program files\desktop.ini
2004-09-23 23:16:12 21952 ---ha-w- c:\program files\folder.htt

============= FINISH: 19:55:24.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 06 March 2010 - 12:07 AM

Hello covalesj smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:








If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



Disable:


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.






Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files












Thanks,



thewall



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 13 March 2010 - 09:57 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 14 March 2010 - 12:54 AM

Reopened at user's request.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 14 March 2010 - 05:40 PM

In order to get GMER to run, I needed to uncheck files, and registry as well -- it seemed it would make it through registry with no alerts, and then many many files, after which it would just hang.

My GMER log is attached.

Attached Files



#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 14 March 2010 - 07:00 PM

Looks like you have an Atapi.sys infection which would be the cause of your redirection problems.

Let's do the following:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.








Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 14 March 2010 - 08:40 PM

Ran TDSSKiller -- first time if found something, asked for a restart.
Ran again, found nothing -- I lost the first log, but I did have a copy paste of the command window (included).
Upon reboot, I ran ComboFix -- I had to rename it in order for it to run -- log attached.

Tested my browser -- it doesn't appear I am getting the issue any more.

Anything further I should do?

Attached Files



#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 14 March 2010 - 09:37 PM

Your ComboFix log shows you have run CF several times before. When was the last time you ran it before this one?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 14 March 2010 - 10:31 PM

3 weeks ago -- when I was trying to solve the issue myself

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 14 March 2010 - 10:59 PM

OK, I was just kind of surprised ComboFix didn't find anything to delete although TDSSKIller may have got most all of the infection.

Let's run ESET to see if it gets anything. Might want to uncheck remove know threats because it will at times delete things ComboFix keeps in quarantine. Although they are retrievable should be have to bring them back for some unknown reason I would rather see what it finds if anything and then let it do it's removals if necessary.




I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 15 March 2010 - 09:37 PM

Done -- threats found - some in my old inbox - which I knew about -- the suspect for me is the holdem manager.

Attached Files

  • Attached File  eset.txt   717bytes   10 downloads


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 15 March 2010 - 10:29 PM

Prevx reports HMHUD.exe as a backdoor although I am picking up on another that says it's a false positive.

http://www.prevx.com/filenames/X3382222725.../HMHUD.EXE.html


I believe the best thing we can do is try to see if you can navigate to it in the following and see if we can get a return:


Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe
Click Send.
Please post the results of this scan to this thread. You can post it directly into the reply window, no need to make it an attachment.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 16 March 2010 - 06:11 AM

MD5: 0d67d3a61a1b600ba9771cb1163bdcbe
First received: 2009.10.14 14:32:39 UTC
Date: 2010.02.09 09:43:04 UTC [>35D]
Results: 25/41
Permalink: analisis/c12fe3a7aefbddcdbd828a165e2da454e09178ec6398d3e1e70698a320cd1734-1265708584

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.09 Backdoor.Generic!IK
AhnLab-V3 5.0.0.2 2010.02.09 Win-Trojan/Xema.variant
AntiVir 7.9.1.160 2010.02.09 BDS/Poison.aveq
Antiy-AVL 2.0.3.7 2010.02.09 -
Authentium 5.2.0.5 2010.02.09 W32/Backdoor2.GAMQ
Avast 4.8.1351.0 2010.02.09 -
AVG 9.0.0.730 2010.02.08 -
BitDefender 7.2 2010.02.09 -
CAT-QuickHeal 10.00 2010.02.09 Backdoor.Poison.auah
ClamAV 0.96.0.0-git 2010.02.09 Trojan.Poison-953
Comodo 3872 2010.02.09 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.02.09 -
eSafe 7.0.17.0 2010.02.07 -
eTrust-Vet 35.2.7292 2010.02.09 -
F-Prot 4.5.1.85 2010.02.08 W32/Backdoor2.GAMQ
F-Secure 9.0.15370.0 2010.02.09 -
Fortinet 4.0.14.0 2010.02.09 W32/Poison.AVAA!tr.bdr
GData 19 2010.02.09 -
Ikarus T3.1.1.80.0 2010.02.09 Backdoor.Generic
Jiangmin 13.0.900 2010.02.08 Backdoor/Poison.dfv
K7AntiVirus 7.10.969 2010.02.08 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.02.09 -
McAfee 5886 2010.02.08 -
McAfee+Artemis 5886 2010.02.08 Artemis!0D67D3A61A1B
McAfee-GW-Edition 6.8.5 2010.02.09 Heuristic.LooksLike.Trojan.Backdoor.Poison.H
Microsoft 1.5406 2010.02.09 -
NOD32 4849 2010.02.08 probably a variant of Win32/Agent
Norman 6.04.03 2010.02.08 -
nProtect 2009.1.8.0 2010.02.09 Backdoor/W32.Poison.17408.X
Panda 10.0.2.2 2010.02.07 Trj/Downloader.MDW
PCTools 7.0.3.5 2010.02.09 Backdoor.Trojan
Prevx 3.0 2010.02.09 High Risk System Back Door
Rising 22.34.01.01 2010.02.09 -
Sophos 4.50.0 2010.02.09 Mal/Generic-A
Sunbelt 3.2.1858.2 2010.02.09 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.09 Backdoor.Trojan
TheHacker 6.5.1.1.185 2010.02.09 -
TrendMicro 9.120.0.1004 2010.02.09 -
VBA32 3.12.12.1 2010.02.08 Backdoor.Win32.Poison.auah
ViRobot 2010.2.9.2177 2010.02.09 Backdoor.Win32.Poison.17408.Q
VirusBuster 5.0.21.0 2010.02.08 Backdoor.Agent.PQZJ
Additional information
File size: 17408 bytes
MD5 : 0d67d3a61a1b600ba9771cb1163bdcbe
SHA1 : 1cfcbb78a733fd4e8441b18c148c548d06986502
SHA256: c12fe3a7aefbddcdbd828a165e2da454e09178ec6398d3e1e70698a320cd1734
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x42EF
timedatestamp.....: 0x4818DA7A (Wed Apr 30 22:45:46 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3C40 0x3E00 6.21 82a8c4ad28e768450ea68f8e34837ecd
.data 0x5000 0x430 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.reloc 0x6000 0xD91DE 0x200 5.62 a7dcfe4ad0babb6cb651e7ac3aa3dffc

( 1 imports )

> kernel32.dll: HeapAlloc, GetProcessHeap, HeapFree, GetTickCount, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, OpenFileMappingW, GetLastError, MapViewOfFile, UnmapViewOfFile, CloseHandle, CreateFileW, CreateFileMappingW, VirtualAlloc, GetProcAddress, LoadLibraryW

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 384:OumLHoOO703eKSbMwh+AiRmszbEArbkisgJ5OadNGP7aM75jkgn7:OJIOsK2Bh+AiRmCEqpsgyadq2M75jk+
Prevx Info: http://info.prevx.com/aboutprogramtext.asp...5FDCE0064992767
PEiD : -
RDS : NSRL Reference Data Set
-

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:25 PM

Posted 16 March 2010 - 11:50 AM

As you can see there are a lot of sites which report that file as bad. I believe we have to consider it so with the information we have on it and I would advise running ESET again but this time letting it remove what it finds. Please post the log it produces in the reply window, no need to attach it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 covalesj

covalesj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 16 March 2010 - 05:52 PM

C:\ddrive\WINDOWS\Desktop\Mail\Inbox.mbx probably a variant of Win32/Agent trojan unable to clean
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65ED1E19\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\Nero_BackItUpAndBurn-1.2.17b(2).exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\Nero_BackItUpAndBurn-1.2.17b.exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\downloads\john.zip Win32/Mydoom.A worm deleted - quarantined
C:\System Volume Information\_restore{E6EB0C7A-EF52-4E89-8252-10C8A593ADC8}\RP25\A0030101.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6EB0C7A-EF52-4E89-8252-10C8A593ADC8}\RP25\A0030102.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users