Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Firefox OffersForToday Hijack, I'm stumped, please help! Thanks.

  • This topic is locked This topic is locked
12 replies to this topic

#1 CheleCity


  • Members
  • 39 posts
  • Local time:08:08 PM

Posted 18 March 2010 - 10:55 AM

I'm stumped. My firefox has been hijacked. Description of opened browser window says, "Ads by OffersForToday". I've tried reading forums, Eset malware software, Spywareblaster, Adaware software, and it's better than my efforts so far.

Here is HijackThis log file and OTL log file. Any help would be greatly appreciated. I would have thought that since the window says where it was from that a Google search would lead to lots of information, but it doesn't. I've done all I know how to do. It's time for the experts. Thank you.

Attached Files

BC AdBot (Login to Remove)


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • Gender:Female
  • Local time:03:08 AM

Posted 20 March 2010 - 07:30 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro

If I haven't replied in 48 hours, please feel free to send me a PM.

Posted Image

#3 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:08 AM

Posted 27 March 2010 - 07:31 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 CheleCity

  • Topic Starter

  • Members
  • 39 posts
  • Local time:08:08 PM

Posted 27 March 2010 - 09:54 PM

I tried to respond to your responce but it said, Topic Locked so I'm starting over. Her is dds log as requested. I tried to run GMER, but it gave me the BSOD twice. I originally posted a hijack, but I don't think that is the correct word. It opens another browser window with the ad that says "Ads by OffersforToday". Thanks again.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 23:13:17.59 on Thu 03/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.481 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AllKeys\AllKeys.exe
C:\Program Files\TitleBarClock\TBC.EXE
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\MSB IntegriClaim\IntegriC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Mike\Desktop\Downloads\Firefox Setup 3.6.2.exe
C:\Program Files\PI Engineering\MacroWorks II\MacroWorks.exe
C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe
C:\Program Files\Microsoft Streets & Trips 2009\Streets.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mike\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/index.html
uInternet Connection Wizard,ShellNext = iexplore
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf viewer\PDFXCviewIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AllKeysMacro] c:\program files\allkeys\AllKeys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Spy Watcher] "c:\progra~1\spycle~2\SpyWatcher.exe" -S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
mRun: [nwiz] nwiz.exe /install
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\titleb~1.lnk - c:\program files\titlebarclock\TBC.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: onlinereportinginc.com\filetrac
Trusted Zone: rexplorer.net
Trusted Zone: rexplorer.net\atl
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://support.rexplorer.net/iftw_install//iftwclix.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095460271703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8DFD2B39-2320-4F01-9AEC-1C9F04C1A1B4} - hxxps://filetrac.onlinereportinginc.com/system/ImageUpload.CAB
DPF: {924F03B2-942A-45FF-B8CC-B0D2C16FD913} - hxxps://filetrac.onlinereportinginc.com/system/EXELaunch.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\ac9keejs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{c750eb63-9a7b-df5b-0eea-ba5ce1256fab}\components\936e296e-f57e-3b97-6061-846f8fdf20f2.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{c750eb63-9a7b-df5b-0eea-ba5ce1256fab}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-28 16384]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-9 731840]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-30 14336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-9-15 47640]
R2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [2010-2-4 438272]
R2 SELSAUSBHW;%SELSAUSBHW.SvcDesc%;c:\windows\system32\drivers\SELSAUSB.SYS [2005-1-3 176220]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-11 328992]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-8-4 848896]
R3 allkeys01;allkeys01;c:\windows\system32\drivers\allkeys01.sys [2008-10-26 12952]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2007-2-1 49792]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-7-10 25824]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\western digital\wd drive manager\wdbtnmgrsvc.exe" --> c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [?]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-9-27 27328]
S3 WLANRB;NETGEAR Wireless 802.11b LAN RB Driver;c:\windows\system32\drivers\MA401RB.sys [2004-9-17 593920]
S4 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]

============== File Associations ===============


=============== Created Last 30 ================

2010-03-25 02:02:44 402632 ----a-w- c:\documents and settings\mike\1116901836.jfx
2010-03-24 01:53:00 341436 ----a-w- c:\documents and settings\mike\PrintBlank_5929CAC2-BDC0-468E-A407-E15A8AABF0C5_forOuput.pdf
2010-03-24 01:50:52 108697 ----a-w- c:\documents and settings\mike\PrintBlank_663A646A-6DE0-419B-8A82-3E82314DE530_forOuput.pdf
2010-03-18 16:13:50 0 d-----w- c:\docume~1\mike\applic~1\Malwarebytes
2010-03-18 16:13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-18 16:13:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-18 16:13:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 16:13:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 19:41:09 7868 ----a-w- c:\documents and settings\mike\FW_ New Claim Assignment - File #1001419 (1).eml
2010-03-15 13:22:00 87734 ----a-w- c:\documents and settings\mike\HomeOwnerPacketrevpdf (1).pdf
2010-03-13 22:31:45 841219 ----a-w- c:\documents and settings\mike\1022409233.jfx
2010-03-13 19:38:05 40324 ----a-w- c:\documents and settings\mike\1021740230.jfx
2010-03-13 02:31:22 118069 ----a-w- c:\documents and settings\mike\Document (1).pdf
2010-03-13 02:29:53 414713 ----a-w- c:\documents and settings\mike\N45XBillofSale (1).pdf
2010-03-12 21:30:52 34816 ----a-w- c:\documents and settings\mike\Actuator Specifications.doc
2010-03-12 18:29:55 151922 ----a-w- c:\documents and settings\mike\[9601] - ---408-- Winged Foot Drive.pdf
2010-03-12 18:29:31 27804 ----a-w- c:\documents and settings\mike\Fax-Back Coversheet.pdf
2010-03-12 13:42:14 682902 ----a-w- c:\documents and settings\mike\803668142 (1).jfx
2010-03-12 02:32:48 7868 ----a-w- c:\documents and settings\mike\FW_ New Claim Assignment - File #1001419.eml
2010-03-10 21:00:51 259360 ----a-w- c:\documents and settings\mike\New Merge.xlsx
2010-03-08 17:17:08 414713 ----a-w- c:\documents and settings\mike\N45XBillofSale.pdf
2010-03-05 23:16:15 141156 ----a-w- c:\documents and settings\mike\953858539.jfx
2010-03-05 19:52:49 28160 ----a-w- c:\documents and settings\mike\3 FEMA Investigation Packet Checklist Federal Employee SF85P(2)a.doc
2010-03-05 19:52:06 27648 ----a-w- c:\documents and settings\mike\4 - Credit Release.doc
2010-03-05 19:46:03 111104 ----a-w- c:\documents and settings\mike\1 e-QIP Introduction Letter SF85P fed emp 2009 (1).doc
2010-03-04 22:21:36 111104 ----a-w- c:\documents and settings\mike\1 e-QIP Introduction Letter SF85P fed emp 2009.doc
2010-03-04 22:20:44 27136 ----a-w- c:\documents and settings\mike\NOTICE.doc
2010-03-04 03:21:08 323752 ----a-w- c:\documents and settings\mike\1406365844.jfx
2010-03-04 03:20:10 73728 ----a-w- c:\documents and settings\mike\lease (Robbin Brown)Phillips (1).doc
2010-03-01 23:12:37 0 d-----w- c:\program files\common files\L&H
2010-02-26 18:07:47 35128 ----a-w- c:\documents and settings\mike\N45X bill of sale (1).pdf
2010-02-25 18:51:39 20480 ----a-w- c:\documents and settings\mike\Bill of Sale Set Aside Document N45X (2).doc
2010-02-25 18:26:21 30112 ----a-w- c:\documents and settings\mike\FORM - HIPAA Release.pdf
2010-02-25 13:55:34 118069 ----a-w- c:\documents and settings\mike\Document.pdf

==================== Find3M ====================

2010-03-23 02:48:09 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-02-26 04:21:18 88 --sh--r- c:\docume~1\alluse~1\applic~1\BBEB50A05B.sys
2010-02-02 14:18:42 1915392 ----a-w- c:\windows\system32\5006d63d-ab34-2f50-77a2-367bdeab8043.dll
2008-10-29 12:23:43 80 --sha-r- c:\windows\system32\B0CE35F0A7.dll
2008-04-18 02:41:26 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008041820080419\index.dat
2008-12-21 19:31:32 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008122120081222\index.dat

============= FINISH: 23:14:09.79 ===============

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,987 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:08 PM

Posted 28 March 2010 - 06:10 PM

Hello CheleCity,

I have merged your new topic to your previously existing topic to avoid delays and confusion. Please be sure to check your topic once a day for responses as the e-mail notification system is unreliable. If you know that you will be unable to answer for a while, please inform your helper so he/she knows that the topic has not been abandoned.

Orange Blossom fruits_cherry.gif
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Shannon2012


  • Security Colleague
  • 3,657 posts
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:08 PM

Posted 28 March 2010 - 07:22 PM

Hi, CheleCity-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

Please give me some time to look over your log. I will post the reply as soon as possible.


#7 CheleCity

  • Topic Starter

  • Members
  • 39 posts
  • Local time:08:08 PM

Posted 30 March 2010 - 12:43 PM

Thank you.

#8 Shannon2012


  • Security Colleague
  • 3,657 posts
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:08 PM

Posted 30 March 2010 - 01:40 PM


Before we get started, you need to get your anti-virus software up to date. The DDS log indicates that your ESET software does not have the current updates installed. You need to keep your anti-malware software current to protect your computer from the ever changing forms of attack. Please pull down the latest updates to ESET Smart Security 4 or, if your subscription for ESET has lapsed, you might want to consider some free alternatives. Two good antivirus programs, free for non-commercial home use, are Avast! and Antivir.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impair the performance of your PC.

Now, let's try to run GMER again from wherever you intsalled it earlier.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • On the menu on the right side of the window, uncheck the Devices by clicking on it.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


#9 Farbar


    Just Curious

  • Security Developer
  • 21,716 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:08 AM

Posted 07 April 2010 - 10:35 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.

#10 CheleCity

  • Topic Starter

  • Members
  • 39 posts
  • Local time:08:08 PM

Posted 13 April 2010 - 10:44 AM

Sorry, for my delayed responce. Mod. Note: Delayed response was to this topic: http://www.bleepingcomputer.com/forums/t/303359/firefox-offersfortoday-hijack-im-stumped-please-help-thanks/ ~ OB It took me a while to get GMER not to fail. It kept giving me the GSOD. Then it would lock up computer. I did your suggestions and turned off internet. I think it made it through this time. Here is the log. I will try to do a better job monitoring topic. Thank you and again I apologize. Here is GMER log.

GMER - http://www.gmer.net
Rootkit scan 2010-04-03 22:52:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\kflyapob.sys

---- System - GMER 1.0.15 ----

SSDT 83B4F630 ZwAssignProcessToJobObject
SSDT sptd.sys ZwCreateKey [0xBA7B10B0]
SSDT sptd.sys ZwEnumerateKey [0xBA7B684C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA7B6BEC]
SSDT sptd.sys ZwOpenKey [0xBA7B1090]
SSDT 83B4EA60 ZwOpenProcess
SSDT 83B4EE80 ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xBA7B6CC4]
SSDT sptd.sys ZwQueryValueKey [0xBA7B6B44]
SSDT sptd.sys ZwSetValueKey [0xBA7B6D56]
SSDT 83B4F460 ZwSuspendProcess
SSDT 83B4F280 ZwSuspendThread
SSDT 83B4EC90 ZwTerminateProcess
SSDT 83B4F0B0 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 234 804E2890 4 Bytes JMP DEF583B4
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xBACC8E00]
.text USBPORT.SYS!DllUnload BA28D8AC 5 Bytes JMP 841561B8
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xBAB82F00]
init C:\WINDOWS\System32\Drivers\WOB.SYS entry point in "init" section [0xBAC8D1A0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[320] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Threads - GMER 1.0.15 ----

Thread System [4:524] 83B4D790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1165204336
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -490158429

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 13 April 2010 - 07:06 PM.

#11 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:10:08 AM

Posted 13 April 2010 - 08:47 PM

Topic reopened and posts merged.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 CheleCity

  • Topic Starter

  • Members
  • 39 posts
  • Local time:08:08 PM

Posted 13 April 2010 - 10:11 PM

Thank you.

#13 Farbar


    Just Curious

  • Security Developer
  • 21,716 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:08 AM

Posted 14 April 2010 - 12:59 AM

Hi CheleCity,

Seems you opened a new topic but continued the old topic with GMER log. That created confusion. The old topic was closed as I saw there was a pattern of lack of continuity in the cleaning process. That means getting involved in a long process of cleaning that sometimes gets nowhere.

Please start a new topic as a new topic with all the fresh logs required here:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Another helper should pick up the log in due time.

This thread will now be closed.

Edited by farbar, 14 April 2010 - 04:58 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users