Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with hijacker, possible Win32:rootkit-gen (RTK)


  • This topic is locked This topic is locked
1 reply to this topic

#1 Grrumpy

Grrumpy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 13 March 2010 - 06:20 PM

While browsing with Firefox 3.6, window scrunched down to 1/8 th normal size, would not close, Zonealarm Free showed lots of activity. Disabled internet connection, ran AVG Free full scan, Malwarebytes full scan, Spybot Search & Destroy scan, and SuperAntiSpware scan, nothing found. Ran Eset online scan, found W32:adinstall. Had a file C:\huadio.tmp which has since disappeared. Also saw searchportal.information.com at one point. Deleted AVG, installed AVAST Free, ran scan, found nothing related to current problem. At present, getting intermittent new tabs attempting to open mostly broken sites.

Here are my DDS and GMER logs


DDS (Ver_09-12-01.01) - NTFSx86
Run by Grrumpy at 21:28:10.42 on 12/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1241 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100313-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot 2\TeaTimer.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
D:\!Down\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AutorunsDisabled - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot 2\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\grrumpy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [Auto EPSON Stylus Photo R220 Series on CMM-P4] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaia.exe /p45 "auto epson stylus photo r220 series on cmm-p4" /o18 "\\cmm-p4\EPSONR220" /M "Stylus Photo R220"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\grrumpy\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1227276703312
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228970601015
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228970576031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} - hxxp://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {94E9CE5D-146D-49E7-9A49-DE1C82F6B7D0} = 8.8.8.8,8.8.4.4
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs:
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grrumpy\applic~1\mozilla\firefox\profiles\3fhl2768.default\
FF - plugin: c:\documents and settings\grrumpy\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\grrumpy\local settings\application data\yahoo!\browserplus\2.5.1\plugins\npybrowserplus_2.5.1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2008-10-31 12064]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-10 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-3-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-3-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 66632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-5 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-3-10 138680]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-2 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-2 665008]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2008-5-21 135168]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-6-6 23200]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-3-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-3-10 352920]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S2 gupdate1c9d29e72354cf2;Google Update Service (gupdate1c9d29e72354cf2);c:\program files\google\update\GoogleUpdate.exe [2009-5-11 133104]
S2 SessionLauncher;SessionLauncher; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-11-18 1527900]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 12872]
S4 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S4 RoxLiveShare10;LiveShare P2P Server 10; [x]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-03-12 22:43:13 0 d-----w- c:\program files\ESET
2010-03-11 19:53:57 0 d-sh--w- c:\windows\system32\lowsec
2010-03-11 16:13:05 0 ----a-w- c:\documents and settings\grrumpy\defogger_reenable
2010-03-11 01:20:21 108 ----a-w- C:\index.ini
2010-03-11 01:07:48 0 d-----w- c:\program files\a-squared HiJackFree
2010-03-10 22:00:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-03-10 22:00:05 0 d-----w- c:\program files\Panda Security
2010-03-10 18:42:15 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 18:24:19 0 d-sh--w- c:\documents and settings\grrumpy\IECompatCache
2010-03-06 03:02:17 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-03-06 03:02:17 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 04:05:14 0 d-----w- c:\program files\PDF Image Extraction Wizard
2010-02-13 21:14:50 0 d-----w- c:\docume~1\grrumpy\applic~1\InfraRecorder
2010-02-13 21:13:07 0 d-----w- c:\program files\InfraRecorder

==================== Find3M ====================

2010-02-09 22:02:04 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-02-09 22:01:48 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-01-28 22:13:18 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-01-28 22:13:18 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-01-23 21:11:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\csrsrv.dll
2001-09-10 13:00:26 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-10 12:10:36 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-08-17 22:43:24 32768 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-08-03 22:29:18 13824 ----a-w- c:\windows\inf\i386\usbscan.sys
2001-06-29 12:10:24 163840 ----a-w- c:\windows\inf\i386\viceo.dll
2008-05-21 14:59:29 32 --sha-w- c:\windows\{371DB6AF-7F1A-4BE9-9DD5-34647E8CD1A3}.dat
2008-05-21 14:58:54 32 --sha-w- c:\windows\{42A810AC-F489-49A2-9BEC-5FEF1FC0E1D1}.dat
2008-05-21 14:58:01 32 --sha-w- c:\windows\{C327E57B-320F-4CEF-8CC0-83A9A6DBEDAD}.dat

============= FINISH: 21:33:11.39 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 stevealmighty

stevealmighty

    Bleepin' WormBreath


  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:11:41 PM

Posted 15 March 2010 - 06:46 AM

Topic closed per members request.
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users