Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox search auto re-direct


  • This topic is locked This topic is locked
3 replies to this topic

#1 alphonsostar

alphonsostar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 April 2010 - 11:39 AM

I have a malware issue on my computer. When I start Firefox browser and type a search in the search bar, it automatically re-directs me to "www.cars4all.biz"
I have no problems running IE
I have run ATF cleaner, SAS and Dr. Web CureIt as suggested on another post. So far no luck in fixing the malware program.
So, I followed the instructions and have run DDS and Gmer and the results are attached.
Please help me!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chuck at 11:50:26.95 on Fri 04/23/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.1588 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
c:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\QUICKENW\qw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\EarthLink TotalAccess\MailClnt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Corel\Suite8\Programs\PFPPOP80.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\notepad.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chuck\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uStart Page = hxxp://start.earthlink.net
uSearch Bar = hxxp://start.earthlink.net/AL/Search
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\chuck\appdata\roaming\micros~1\windows\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\coreld~1.lnk - c:\corel\suite8\programs\DAD8.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Refresh Pa&ge with Full Quality - c:\program files\earthlink totalaccess\accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\earthlink totalaccess\accelerator\\pac-image.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162576602862
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134512507156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.323900463
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\chuck\appdata\roaming\mozilla\firefox\profiles\9q6gn5am.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.earthlink.net/
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - HiddenExtension: XUL Cache: {49DA20A3-B9F9-41D8-8D38-C79CBA090D28} - c:\users\charles_2\appdata\local\{49DA20A3-B9F9-41D8-8D38-C79CBA090D28}
FF - HiddenExtension: XUL Cache: {BDC9827A-A0D7-4A1E-8C7B-296747BBA7B6} - c:\users\chuck\appdata\local\{BDC9827A-A0D7-4A1E-8C7B-296747BBA7B6}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-21 142352]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-3-2 81920]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2010-3-2 27648]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-21 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-4-20 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-21 235024]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-1-12 81920]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-3-2 66592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-2 167936]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2010-3-10 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-3-10 648456]
S2 N360;Norton 360;"c:\program files\norton 360\norton 360\engine\4.0.0.127\ccsvchst.exe" /s "n360" /m "c:\program files\norton 360\norton 360\engine\4.0.0.127\dimaster.dll" /prefetch:1 --> c:\program files\norton 360\norton 360\engine\4.0.0.127\ccSvcHst.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\x32\cppwdsvc.exe [2009-9-16 46384]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-17 102448]
S3 JeppDrive;JeppDrive Service;c:\windows\system32\drivers\JeppDrive.sys [2010-4-20 24344]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtTeam60.sys [2010-3-2 35328]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2010-3-2 19968]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);c:\windows\system32\drivers\RtTeam60.sys [2010-3-2 35328]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-17 1343400]

=============== Created Last 30 ================

2010-04-23 15:41:59 0 ----a-w- c:\users\chuck\defogger_reenable
2010-04-22 15:48:38 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-22 15:48:30 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-22 15:48:29 0 d-----w- c:\users\chuck\appdata\roaming\SUPERAntiSpyware.com
2010-04-22 14:04:59 0 d-----w- c:\users\chuck\appdata\roaming\Malwarebytes
2010-04-22 14:04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 14:04:50 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 14:04:50 0 d-----w- c:\programdata\Malwarebytes
2010-04-22 14:04:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 15:25:49 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-21 15:00:44 0 d-----w- c:\program files\NortonInstaller
2010-04-21 14:00:45 0 d-----w- c:\programdata\Sun
2010-04-20 16:02:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_JeppDrive_01005.Wdf
2010-04-20 16:02:01 0 d-----w- c:\users\chuck\Jeppesen
2010-04-20 16:02:00 31 ----a-w- c:\windows\JSUMUpdater.ini
2010-04-20 16:00:32 24344 ----a-w- c:\windows\system32\drivers\JeppDrive.sys
2010-04-20 16:00:32 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-04-20 16:00:30 0 d-----w- c:\programdata\Jeppesen
2010-04-20 12:26:11 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-04-20 12:26:11 230928 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-04-20 12:26:11 1322680 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-04-14 15:22:51 0 d-----w- c:\program files\Citrix
2010-04-14 15:22:37 103784 ----a-w- c:\users\chuck\GoToAssistDownloadHelper.exe
2010-04-14 09:44:54 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 09:44:54 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 09:44:51 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 09:44:49 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 09:44:49 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 09:44:49 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 09:44:28 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 09:44:28 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 09:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-26 16:04:04 45344 ----a-w- c:\windows\system32\drivers\CoachVid.sys
2010-03-26 16:04:04 10752 ----a-w- c:\windows\system32\drivers\CoachAud.sys
2010-03-25 15:17:28 0 d-----w- c:\users\chuck\appdata\roaming\ZoomBrowser EX
2010-03-25 14:17:49 0 d-----w- c:\programdata\ZoomBrowser
2010-03-25 14:16:50 0 d-----w- c:\program files\common files\Canon

==================== Find3M ====================

2010-03-11 10:24:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-03-10 09:48:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01005.Wdf
2010-03-03 03:46:52 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2010-03-03 03:46:50 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-03-03 03:46:50 507568 ----a-w- c:\windows\system32\winload.exe
2010-03-03 03:46:50 442920 ----a-w- c:\windows\system32\winresume.exe
2010-03-03 03:46:50 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-03-03 03:46:50 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-03-03 03:46:50 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-03 03:46:50 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-03-03 03:46:50 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-03-03 03:46:49 86528 ----a-w- c:\windows\system32\isoburn.exe
2010-03-03 03:46:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-03-03 03:45:06 23874 ----a-w- c:\windows\system32\drivers\1028_Dell_VOS_220S.mrk
2010-03-03 02:04:06 55072 ----a-w- c:\windows\system32\jureg.exe
2010-03-03 02:04:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 02:04:06 386872 ----a-w- c:\windows\system32\jucheck.exe
2010-03-03 02:04:06 149280 ----a-w- c:\windows\system32\jusched.exe
2010-02-28 22:26:09 96338632 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-01 15:11:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-07 02:08:37 16384 --sha-w- c:\windows\serviceprofiles\networkservice\ietldcache\index.dat
2009-08-10 18:32:36 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:50:46.35 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-23 12:08:47
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Chuck\AppData\Local\Temp\uglcqpog.sys


---- System - GMER 1.0.15 ----

SSDT 88479FA0 ZwCreateKey
SSDT 884791E0 ZwCreateProcess
SSDT 884794A0 ZwCreateProcessEx
SSDT 8847AE00 ZwCreateThread
SSDT 8847AFA0 ZwCreateThreadEx
SSDT 88479760 ZwCreateUserProcess
SSDT 8847A520 ZwDeleteKey
SSDT 8847A7E0 ZwDeleteValueKey
SSDT 8847B140 ZwLoadDriver
SSDT 88479A20 ZwOpenProcess
SSDT 8847A260 ZwSetValueKey
SSDT 88479CE0 ZwTerminateProcess
SSDT 8847AC60 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830313F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301A2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83019898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830311DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830316F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830321A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C4A599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C6EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 308 82C76818 4 Bytes [A0, 9F, 47, 88]
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82C7683C 8 Bytes [E0, 91, 47, 88, A0, 94, 47, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82C7685C 8 Bytes [00, AE, 47, 88, A0, AF, 47, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 82C76874 4 Bytes [60, 97, 47, 88]
.text ntkrnlpa.exe!RtlSidHashLookup + 38C 82C7689C 4 Bytes [20, A5, 47, 88]
.text ...
.text peauth.sys 96279C9D 28 Bytes [DE, 29, 04, 16, 27, 4C, 76, ...]
.text peauth.sys 96279CC1 28 Bytes [DE, 29, 04, 16, 27, 4C, 76, ...]
PAGE peauth.sys 9627FB9B 9 Bytes [0E, 85, 8D, B7, 9B, F5, 1B, ...] {PUSH CS; TEST [EBP+0x1bf59bb7], ECX; JNO 0x2f}
PAGE peauth.sys 9627FBA9 58 Bytes [EB, B8, F7, 51, FA, 4F, 7A, ...]
PAGE peauth.sys 9627FBEC 111 Bytes [67, 0A, 80, F0, 16, A2, B6, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CreateDialogParamW 77619BFF 5 Bytes JMP 6B8EC548 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!EnableWindow 7761A72E 5 Bytes JMP 6B8EC4C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!GetAsyncKeyState 7761C09A 5 Bytes JMP 6B8AD6C9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!UnhookWindowsHookEx 7761CC7B 5 Bytes JMP 6B9A82FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CallNextHookEx 7761CC8F 5 Bytes JMP 6B989D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CreateWindowExW 77620E51 5 Bytes JMP 6B9980F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!SetWindowsHookExW 7762210A 5 Bytes JMP 6B9445DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!GetKeyState 77624FDA 5 Bytes JMP 6B8ED73A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!IsDialogMessageW 77626F06 5 Bytes JMP 6B8B425C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CreateDialogParamA 77633E79 5 Bytes JMP 6BABFE19 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!IsDialogMessage 7763407A 5 Bytes JMP 6BABF6BA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CreateDialogIndirectParamA 77639110 5 Bytes JMP 6BABFE50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!CreateDialogIndirectParamW 776408AD 5 Bytes JMP 6BABFE87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!DialogBoxIndirectParamW 77644AA7 5 Bytes JMP 6BABF218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!EndDialog 7764555C 5 Bytes JMP 6B8B5AC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!DialogBoxParamW 7764564A 5 Bytes JMP 6B8B4B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!SetKeyboardState 77646B52 5 Bytes JMP 6BABFA1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!SendInput 77647055 5 Bytes JMP 6BAC05E8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!SetCursorPos 7765C1D8 5 Bytes JMP 6BAC0640 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!DialogBoxParamA 7765CF6A 5 Bytes JMP 6BABF1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!DialogBoxIndirectParamA 7765D29C 5 Bytes JMP 6BABF27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!MessageBoxIndirectA 7766E8C9 5 Bytes JMP 6BABF14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!MessageBoxIndirectW 7766E9C3 5 Bytes JMP 6BABF0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!MessageBoxExA 7766EA29 5 Bytes JMP 6BABF07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!MessageBoxExW 7766EA4D 5 Bytes JMP 6BABF01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] USER32.dll!keybd_event 7766EC9B 5 Bytes JMP 6BAC0973 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] SHELL32.dll!SHChangeNotification_Lock + 45BA 7665B3B0 4 Bytes [11, 36, 4F, 6F] {ADC [ESI], ESI; DEC EDI; OUTSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] SHELL32.dll!SHChangeNotification_Lock + 45C2 7665B3B8 8 Bytes [5F, 35, 4F, 6F, D0, 73, 4E, ...] {POP EDI; XOR EAX, 0x73d06f4f; DEC ESI; OUTSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] ole32.dll!OleLoadFromStream 776E5B88 5 Bytes JMP 6BABF576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5100] ole32.dll!CoCreateInstance 777357FC 5 Bytes JMP 6B998BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!CreateWindowExW 77620E51 5 Bytes JMP 6B9980F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxIndirectParamW 77644AA7 5 Bytes JMP 6BABF218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxParamW 7764564A 5 Bytes JMP 6B8B4B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxParamA 7765CF6A 5 Bytes JMP 6BABF1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxIndirectParamA 7765D29C 5 Bytes JMP 6BABF27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxIndirectA 7766E8C9 5 Bytes JMP 6BABF14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxIndirectW 7766E9C3 5 Bytes JMP 6BABF0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxExA 7766EA29 5 Bytes JMP 6BABF07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxExW 7766EA4D 5 Bytes JMP 6BABF01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CreateDialogParamW 77619BFF 5 Bytes JMP 6B8EC548 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!EnableWindow 7761A72E 5 Bytes JMP 6B8EC4C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!GetAsyncKeyState 7761C09A 5 Bytes JMP 6B8AD6C9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!UnhookWindowsHookEx 7761CC7B 5 Bytes JMP 6B9A82FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CallNextHookEx 7761CC8F 5 Bytes JMP 6B989D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CreateWindowExW 77620E51 5 Bytes JMP 6B9980F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!SetWindowsHookExW 7762210A 5 Bytes JMP 6B9445DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!GetKeyState 77624FDA 5 Bytes JMP 6B8ED73A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!IsDialogMessageW 77626F06 5 Bytes JMP 6B8B425C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CreateDialogParamA 77633E79 5 Bytes JMP 6BABFE19 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!IsDialogMessage 7763407A 5 Bytes JMP 6BABF6BA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CreateDialogIndirectParamA 77639110 5 Bytes JMP 6BABFE50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!CreateDialogIndirectParamW 776408AD 5 Bytes JMP 6BABFE87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!DialogBoxIndirectParamW 77644AA7 5 Bytes JMP 6BABF218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!EndDialog 7764555C 5 Bytes JMP 6B8B5AC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!DialogBoxParamW 7764564A 5 Bytes JMP 6B8B4B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!SetKeyboardState 77646B52 5 Bytes JMP 6BABFA1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!SendInput 77647055 5 Bytes JMP 6BAC05E8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!SetCursorPos 7765C1D8 5 Bytes JMP 6BAC0640 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!DialogBoxParamA 7765CF6A 5 Bytes JMP 6BABF1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!DialogBoxIndirectParamA 7765D29C 5 Bytes JMP 6BABF27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!MessageBoxIndirectA 7766E8C9 5 Bytes JMP 6BABF14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!MessageBoxIndirectW 7766E9C3 5 Bytes JMP 6BABF0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!MessageBoxExA 7766EA29 5 Bytes JMP 6BABF07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!MessageBoxExW 7766EA4D 5 Bytes JMP 6BABF01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] USER32.dll!keybd_event 7766EC9B 5 Bytes JMP 6BAC0973 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] SHELL32.dll!SHChangeNotification_Lock + 45BA 7665B3B0 4 Bytes [11, 36, 4F, 6F] {ADC [ESI], ESI; DEC EDI; OUTSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] SHELL32.dll!SHChangeNotification_Lock + 45C2 7665B3B8 8 Bytes [5F, 35, 4F, 6F, D0, 73, 4E, ...] {POP EDI; XOR EAX, 0x73d06f4f; DEC ESI; OUTSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] ole32.dll!OleLoadFromStream 776E5B88 5 Bytes JMP 6BABF576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6120] ole32.dll!CoCreateInstance 777357FC 5 Bytes JMP 6B998BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by alphonsostar, 23 April 2010 - 12:10 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:08 AM

Posted 23 April 2010 - 11:56 AM

Hello alphonsostar,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


Things to include in your next reply:
Gooredfix.txt
MBAM lo
OTL.txt
Extra.txt
Still having redirects?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 alphonsostar

alphonsostar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 April 2010 - 01:00 PM

Dear Fireman4it. You are my hero. Running those processes fixed the problem. THANKS!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:08 AM

Posted 23 April 2010 - 05:13 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users