Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 CalusBlade

CalusBlade

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 15 April 2010 - 11:01 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/308890/i-dont-think-im-infected-i-sure-i-am/ ~ OB

I have a google redirect virus and was told to come here. What the problem is each time I google something and I click a link, it brings me to some other site. So let say i google Gamefaqs.com, it will show in the bottom left hand corner something like 294.gamefaqs.com and then bring me to a site that's not gamefaqs. base on my google search in my other computer, it brings me to other mal-ware, ad-ware, etc, sites.

This is the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by kenny at 21:32:09.77 on Thu 04/15/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.467 [GMT -4:00]

AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\kenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://start.earthlink.net/AL/Search
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242932799585
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {319776B6-BDF7-4F87-A900-64B0B309F24F} = 207.69.188.185 207.69.188.186
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\rz5prpn2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\kenny\application data\mozilla\firefox\profiles\rz5prpn2.default\extensions\{5601b994-0e9b-4ce2-8ab9-ad1155f2abbd}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-12 24652]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-10 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100411.005\naveng.sys [2010-4-11 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100411.005\navex15.sys [2010-4-11 1324720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\progra~1\eaccel~1\framew~1\eac_svc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 sstsmonsvc;StopSign Antivirus Security Center Provider;"c:\progra~1\eaccel~1\framew~1\eac_svc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_svc.exe [?]

=============== Created Last 30 ================

2010-04-16 01:23:17 0 ----a-w- c:\documents and settings\kenny\defogger_reenable
2010-04-14 02:53:49 0 d-----w- c:\program files\ESET
2010-04-13 02:42:39 0 d--h--w- c:\windows\PIF
2010-04-11 17:44:11 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-11 17:44:11 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-11 17:43:59 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-11 17:43:59 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-11 17:43:18 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-11 17:43:18 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 16:38:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-11 03:13:15 3532120 ----a-w- c:\windows\system32\GameMon.des
2010-04-11 00:58:55 0 d-----w- c:\program files\Gpotato
2010-04-10 19:22:54 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-10 19:22:54 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-10 18:02:43 0 d-----w- c:\program files\MSXML 4.0
2010-04-10 17:58:45 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-28 19:17:16 604 ----a-w- c:\windows\Vtw.INI
2010-03-28 19:03:29 0 d-----w- c:\program files\Total War
2010-03-28 19:03:10 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-27 22:35:18 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-03-27 22:35:18 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-03-27 22:27:45 0 d-----w- c:\program files\Activision
2010-03-27 22:26:38 604 ----a-w- c:\windows\Edofma.INI

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 21:33:06.86 ===============

Attached Files


Edited by Orange Blossom, 17 April 2010 - 11:16 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:40 PM

Posted 19 April 2010 - 11:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 20 April 2010 - 06:36 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by kenny at 18:48:24.96 on Mon 04/19/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.440 [GMT -4:00]

AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://start.earthlink.net/AL/Search
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\earthlink totalaccess\accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\earthlink totalaccess\accelerator\\pac-image.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242932799585
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {319776B6-BDF7-4F87-A900-64B0B309F24F} = 207.69.188.185 207.69.188.186
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\rz5prpn2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\kenny\application data\mozilla\firefox\profiles\rz5prpn2.default\extensions\{5601b994-0e9b-4ce2-8ab9-ad1155f2abbd}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-12 24652]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-10 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100418.002\naveng.sys [2010-4-18 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100418.002\navex15.sys [2010-4-18 1324720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\progra~1\eaccel~1\framew~1\eac_svc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 sstsmonsvc;StopSign Antivirus Security Center Provider;"c:\progra~1\eaccel~1\framew~1\eac_svc.exe" --> c:\progra~1\eaccel~1\framew~1\eac_svc.exe [?]

=============== Created Last 30 ================

2010-04-18 21:42:50 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-18 21:42:50 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-04-16 01:23:17 0 ----a-w- c:\documents and settings\kenny\defogger_reenable
2010-04-14 02:53:49 0 d-----w- c:\program files\ESET
2010-04-13 02:42:39 0 d--h--w- c:\windows\PIF
2010-04-11 17:44:11 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-11 17:44:11 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-11 17:43:59 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-11 17:43:59 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-11 17:43:18 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-11 17:43:18 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 16:38:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-11 03:13:15 3532120 ----a-w- c:\windows\system32\GameMon.des
2010-04-11 00:58:55 0 d-----w- c:\program files\Gpotato
2010-04-10 19:22:54 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-10 19:22:54 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-10 18:02:43 0 d-----w- c:\program files\MSXML 4.0
2010-04-10 17:58:45 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-28 19:17:16 604 ----a-w- c:\windows\Vtw.INI
2010-03-28 19:03:29 0 d-----w- c:\program files\Total War
2010-03-28 19:03:10 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-27 22:35:18 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-03-27 22:35:18 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-03-27 22:27:45 0 d-----w- c:\program files\Activision
2010-03-27 22:26:38 604 ----a-w- c:\windows\Edofma.INI

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 18:49:52.65 ===============

I'll do the A/V later today

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 20 April 2010 - 04:18 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 20 April 2010 - 08:53 PM

ComboFix 10-04-19.08 - kenny 04/20/2010 21:24:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.575 [GMT -4:00]
Running from: c:\documents and settings\kenny\Desktop\ComboFix.exe
AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-18 21:42 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-18 21:42 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-04-14 02:53 . 2010-04-14 02:53 -------- d-----w- c:\program files\ESET
2010-04-13 02:42 . 2010-04-13 02:42 -------- d--h--w- c:\windows\PIF
2010-04-11 18:23 . 2010-04-11 18:23 182272 --sha-w- c:\documents and settings\kenny\Local Settings\Application Data\2664644969.dll
2010-04-11 18:22 . 2010-04-11 18:22 21984 ----a-w- c:\documents and settings\kenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 17:44 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-11 17:44 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-11 17:43 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-11 17:43 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-11 17:43 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-11 17:43 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 16:38 . 2010-04-11 16:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-11 00:58 . 2010-04-11 00:58 -------- d-----w- c:\program files\Gpotato
2010-04-10 19:22 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-10 19:22 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-10 18:02 . 2010-04-10 18:02 -------- d-----w- c:\program files\MSXML 4.0
2010-04-10 17:58 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-28 19:03 . 2010-03-28 19:03 -------- d-----w- c:\program files\Total War
2010-03-28 19:03 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-27 22:35 . 2003-04-18 23:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-03-27 22:35 . 2003-04-18 23:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-03-27 22:27 . 2010-03-27 22:27 -------- d-----w- c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 01:37 . 2004-01-12 06:47 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-21 01:33 . 2009-05-25 03:07 117760 ----a-w- c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 00:49 . 2008-07-03 00:46 -------- d-----w- c:\program files\EarthLink TotalAccess
2010-04-21 00:37 . 2006-01-10 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 23:14 . 2009-06-18 19:22 -------- d-----w- c:\program files\SpeedFan
2010-04-18 20:43 . 2008-08-04 20:28 -------- d-----w- c:\program files\FlashGet
2010-04-11 21:27 . 2009-05-21 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 21:27 . 2009-05-27 16:24 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-11 20:48 . 2008-12-12 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2010-04-11 00:13 . 2009-04-13 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-09 02:30 . 2009-08-28 21:42 -------- d-----w- c:\documents and settings\kenny\Application Data\LimeWire
2010-03-31 02:52 . 2009-09-12 21:33 -------- d-----w- c:\program files\Wonderland Online
2010-03-30 04:46 . 2009-05-21 18:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-05-21 18:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 04:10 . 2010-03-06 04:10 -------- d-----w- c:\program files\LimeWire
2010-03-05 17:49 . 2010-03-05 17:25 -------- d-----w- c:\documents and settings\kenny\Application Data\Apple Computer
2010-03-05 17:24 . 2010-03-05 17:23 -------- d-----w- c:\program files\iTunes
2010-03-05 17:24 . 2010-03-05 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 17:23 . 2010-03-05 17:23 -------- d-----w- c:\program files\iPod
2010-03-05 17:23 . 2010-03-05 17:20 -------- d-----w- c:\program files\Common Files\Apple
2010-03-05 17:23 . 2010-03-05 17:23 -------- d-----w- c:\program files\Bonjour
2010-03-05 17:23 . 2010-03-05 17:22 -------- d-----w- c:\program files\QuickTime
2010-03-05 17:22 . 2010-03-05 17:21 -------- d-----w- c:\program files\Apple Software Update
2010-03-05 17:20 . 2010-03-05 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-05 15:48 . 2004-01-12 06:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 17:01 . 2010-03-02 16:59 -------- d-----w- c:\program files\G-Collections
2010-02-26 05:43 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2006-01-10 15:25 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-15 23:41 . 2010-02-15 23:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 17:32 . 2010-01-15 17:03 52224 ----a-w- c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2005-09-01 19:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sstsmonsvc"=2 (0x2)
"ImapiService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\KRU\\Shattered Galaxy\\SG.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\MailClnt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"58635:TCP"= 58635:TCP:Pando Media Booster
"58635:UDP"= 58635:UDP:Pando Media Booster
"58948:TCP"= 58948:TCP:Pando Media Booster
"58948:UDP"= 58948:UDP:Pando Media Booster
"58822:TCP"= 58822:TCP:Pando Media Booster
"58822:UDP"= 58822:UDP:Pando Media Booster
"17344:TCP"= 17344:TCP:spport
"8704:TCP"= 8704:TCP:spport

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/12/2008 6:42 PM 24652]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2010 5:46 PM 102448]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S4 sstsmonsvc;StopSign Antivirus Security Center Provider;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
FF - ProfilePath - c:\documents and settings\kenny\Application Data\Mozilla\Firefox\Profiles\rz5prpn2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\kenny\Application Data\Mozilla\Firefox\Profiles\rz5prpn2.default\extensions\{5601B994-0E9B-4ce2-8AB9-AD1155F2ABBD}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-~03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
URLSearchHooks-~54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
MSConfigStartUp-ewrgetuj - c:\docume~1\kenny\LOCALS~1\Temp\geurge.exe
MSConfigStartUp-WEK9EMDHI9 - c:\windows\Vgizua.exe
MSConfigStartUp-YVIBBBHA8C - c:\docume~1\kenny\LOCALS~1\Temp\Vmx.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 21:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x867648C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7873f28
\Driver\ACPI -> ACPI.sys @ 0xf77e6cb8
\Driver\atapi -> atapi.sys @ 0xf7783b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compa -> SendCompleteHandler -> NDIS.sys @ 0xf768eb0a
PacketIndicateHandler -> NDIS.sys @ 0xf767ba0d
SendHandler -> NDIS.sys @ 0xf768fb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(572)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(1948)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-20 21:46:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 01:45

Pre-Run: 19,978,588,160 bytes free
Post-Run: 19,867,537,408 bytes free

- - End Of File - - 5B7BDC7014374942BC6114E06AB394C8

I'm gonna try to clean it. If worse comes to worse I won't do my banking anymore in this computer. Also, I do have another computer but I am not sure if it is infected or not. how do I find out?

Edited by CalusBlade, 20 April 2010 - 09:23 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 21 April 2010 - 05:45 AM

Hi,

are you still getting redirected?

Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/310122/google-redirect-virus/
registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
collect::
c:\documents and settings\kenny\Local Settings\Application Data\2664644969.dll
c:\windows\system32\diskchk.sys
driver::
diskchk


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 21 April 2010 - 11:27 AM

ComboFix 10-04-19.08 - kenny 04/21/2010 11:54:10.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.138 [GMT -4:00]
Running from: c:\documents and settings\kenny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kenny\Desktop\CFScript.txt
AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\documents and settings\kenny\Local Settings\Application Data\2664644969.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kenny\Local Settings\Application Data\2664644969.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISKCHK
-------\Service_diskchk


((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-18 21:42 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-18 21:42 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-04-14 02:53 . 2010-04-14 02:53 -------- d-----w- c:\program files\ESET
2010-04-13 02:42 . 2010-04-13 02:42 -------- d--h--w- c:\windows\PIF
2010-04-11 18:22 . 2010-04-11 18:22 21984 ----a-w- c:\documents and settings\kenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 17:44 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-11 17:44 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-11 17:43 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-11 17:43 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-11 17:43 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-11 17:43 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 16:38 . 2010-04-11 16:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-11 00:58 . 2010-04-11 00:58 -------- d-----w- c:\program files\Gpotato
2010-04-10 19:22 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-10 19:22 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-10 18:02 . 2010-04-10 18:02 -------- d-----w- c:\program files\MSXML 4.0
2010-04-10 17:58 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-28 19:03 . 2010-03-28 19:03 -------- d-----w- c:\program files\Total War
2010-03-28 19:03 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-27 22:35 . 2003-04-18 23:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-03-27 22:35 . 2003-04-18 23:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-03-27 22:27 . 2010-03-27 22:27 -------- d-----w- c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 16:08 . 2004-01-12 06:47 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-21 16:04 . 2009-05-25 03:07 117760 ----a-w- c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 15:03 . 2008-07-03 00:46 -------- d-----w- c:\program files\EarthLink TotalAccess
2010-04-21 00:37 . 2006-01-10 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 23:14 . 2009-06-18 19:22 -------- d-----w- c:\program files\SpeedFan
2010-04-18 20:43 . 2008-08-04 20:28 -------- d-----w- c:\program files\FlashGet
2010-04-11 21:27 . 2009-05-21 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 21:27 . 2009-05-27 16:24 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-11 20:48 . 2008-12-12 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2010-04-11 00:13 . 2009-04-13 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-09 02:30 . 2009-08-28 21:42 -------- d-----w- c:\documents and settings\kenny\Application Data\LimeWire
2010-03-31 02:52 . 2009-09-12 21:33 -------- d-----w- c:\program files\Wonderland Online
2010-03-30 04:46 . 2009-05-21 18:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-05-21 18:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 04:10 . 2010-03-06 04:10 -------- d-----w- c:\program files\LimeWire
2010-03-05 17:49 . 2010-03-05 17:25 -------- d-----w- c:\documents and settings\kenny\Application Data\Apple Computer
2010-03-05 17:24 . 2010-03-05 17:23 -------- d-----w- c:\program files\iTunes
2010-03-05 17:24 . 2010-03-05 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 17:23 . 2010-03-05 17:23 -------- d-----w- c:\program files\iPod
2010-03-05 17:23 . 2010-03-05 17:20 -------- d-----w- c:\program files\Common Files\Apple
2010-03-05 17:23 . 2010-03-05 17:23 -------- d-----w- c:\program files\Bonjour
2010-03-05 17:23 . 2010-03-05 17:22 -------- d-----w- c:\program files\QuickTime
2010-03-05 17:22 . 2010-03-05 17:21 -------- d-----w- c:\program files\Apple Software Update
2010-03-05 17:20 . 2010-03-05 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-05 15:48 . 2004-01-12 06:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 17:01 . 2010-03-02 16:59 -------- d-----w- c:\program files\G-Collections
2010-02-26 05:43 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2006-01-10 15:25 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-15 23:41 . 2010-02-15 23:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 17:32 . 2010-01-15 17:03 52224 ----a-w- c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2005-09-01 19:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sstsmonsvc"=2 (0x2)
"ImapiService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\KRU\\Shattered Galaxy\\SG.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\MailClnt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"58635:TCP"= 58635:TCP:Pando Media Booster
"58635:UDP"= 58635:UDP:Pando Media Booster
"58948:TCP"= 58948:TCP:Pando Media Booster
"58948:UDP"= 58948:UDP:Pando Media Booster
"58822:TCP"= 58822:TCP:Pando Media Booster
"58822:UDP"= 58822:UDP:Pando Media Booster
"17344:TCP"= 17344:TCP:spport
"8704:TCP"= 8704:TCP:spport

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/12/2008 6:42 PM 24652]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2010 5:46 PM 102448]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S4 sstsmonsvc;StopSign Antivirus Security Center Provider;"c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe" --> c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
FF - ProfilePath - c:\documents and settings\kenny\Application Data\Mozilla\Firefox\Profiles\rz5prpn2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\kenny\Application Data\Mozilla\Firefox\Profiles\rz5prpn2.default\extensions\{5601B994-0E9B-4ce2-8AB9-AD1155F2ABBD}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 12:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x822F98C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> atapi.sys @ 0xf848ab3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compa -> SendCompleteHandler -> NDIS.sys @ 0xf8395b0a
PacketIndicateHandler -> NDIS.sys @ 0xf8382a0d
SendHandler -> NDIS.sys @ 0xf8396b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\kenny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(580)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-21 12:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 16:19
ComboFix2.txt 2010-04-21 01:46

Pre-Run: 19,870,326,784 bytes free
Post-Run: 19,843,493,888 bytes free

- - End Of File - - E43B5950CC854B0F3FC32C498EF420A8


Redirects are still going on. Also how do I double check if my other computer has mal-ware, viruses, spy-ware, etc. . . I don't remember what I used that computer for. Also is there a guild for reformat just in case there isn't a known way of fixing it?

Edited by CalusBlade, 21 April 2010 - 11:37 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 24 April 2010 - 02:36 AM

Hi,

I'm sorry for the delay.
Could you please do the following:

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once you have rebooted:
  • Click on start
  • select Run...
  • enter "%userprofile%\Desktop\maxlook.exe" -sig and hit enter
  • a blue window will open. Please make sure that you are connected to the internet while the blue window is open.
  • Once it is finished a log file will open. Please save that log and post the content in your next reply.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either StopSign or Symantec.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 24 April 2010 - 09:24 AM

Run from C:\Documents and Settings\kenny\Desktop\maxlook.exe on Sat 04/24/2010 at 10:23:13.36

No infected file found


As for stopsign, it has been removed but for some reason its still floating around.

Edited by CalusBlade, 24 April 2010 - 09:28 AM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 24 April 2010 - 09:33 AM

Hi,

could you please run the command:
  • Click on start
  • select Run...
  • enter "%userprofile%\Desktop\maxlook.exe" -sig and hit enter
  • a blue window will open. Please make sure that you are connected to the internet while the blue window is open.
  • Once it is finished a log file will open. Please save that log and post the content in your next reply.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


I had the impression that they might just be leftovers, we will take care of that next step.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 24 April 2010 - 10:07 AM

Run from C:\Documents and Settings\kenny\Desktop\maxlook.exe on Sat 04/24/2010 at 11:06:51.40

No infected file found


Same as before

O.K, i just used a program called hitman pro and it found it. after I finish up some work I'm gonna reboot and see if it got rid of it. This program was recommended by a friend of mine. I'll update as soon as I can.

It was a atapi.sys located at windows/system32/drivers

Edited by CalusBlade, 24 April 2010 - 10:58 AM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 24 April 2010 - 11:20 AM

Hi,

feel free to try, but from experience this won't work. Let me know how things work out.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 24 April 2010 - 11:56 AM

redirects seem to be gone now. Thanks for helping me.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:40 PM

Posted 24 April 2010 - 02:32 PM

Hi,

you must be one of the lucky few then. smile.gif HitmanPro does not reliably see all parts of the infection.

Could you please run a new scan with gmer and post the log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 03 May 2010 - 10:54 PM

Ummmm I ran it on safe mode and I think it killed my norton :/

This one is regular mode after the safe mode scan

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 23:52:32
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\kenny\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT 86634218 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF106F350]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF106F580]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users