Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adwordsredirect infection with google


  • This topic is locked This topic is locked
33 replies to this topic

#1 adamdivine

adamdivine

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 23 April 2010 - 12:51 PM

Hi, I seem to have an infection that is defying my usual methods for removal. I have run CCleaner, Malware Antibytes and Super Antispyware. They found a few things, but none of them helped with my problem. When I search in Google, the search takes longer than usual and returns normal looking results. If I click on any of the results however, I get the check your connection screen from IE. The address bar has an url beginning with www.adwordsredirect.... I can still search via Yahoo or the like, but I would like to get rid of this infection before it gets worse. Thank for any help that is provided.


DDS (Ver_10-03-17.01) - NTFSx86
Run by customer at 11:16:52.62 on Fri 04/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.265 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\customer\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON WorkForce 600] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S7F.tmp" /EF "HKCU"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\customer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tovoyejir - {f482dc18-fc4d-4a31-aa01-98e56ebf2537} - c:\windows\system32\fumupofo.dll
STS: jugezatag: {f482dc18-fc4d-4a31-aa01-98e56ebf2537} - c:\windows\system32\fumupofo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli tudehote.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-12 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-12 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-12 297752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-8-2 87936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2010-1-14 45344]

============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2010-04-23 15:06:13 0 ----a-w- c:\documents and settings\customer\defogger_reenable
2010-04-19 14:40:50 0 d-----w- c:\docume~1\customer\applic~1\E-centives
2010-04-19 14:37:39 230824 ----a-r- c:\windows\system32\cpnprt2.cid
2010-04-19 14:37:37 0 d-----w- c:\windows\Cache
2010-04-19 14:37:34 0 d-----w- c:\program files\Coupons
2010-04-18 16:11:35 0 d-----w- c:\docume~1\customer\applic~1\Unity
2010-04-17 11:40:08 0 d-----w- c:\program files\Conduit
2010-04-17 11:40:07 0 d-----w- c:\program files\Games_Bar_1
2010-03-31 00:53:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-31 00:53:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:53:24 0 d-----w- c:\docume~1\customer\applic~1\SUPERAntiSpyware.com
2010-03-31 00:51:49 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-30 16:15:12 0 d-----w- c:\docume~1\customer\applic~1\OpenOffice.org
2010-03-30 15:26:43 0 d-----w- c:\program files\JRE
2010-03-30 15:26:14 0 d-----w- c:\program files\OpenOffice.org 3
2010-03-30 00:35:19 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-10 17:18:49 108920 ----a-w- c:\documents and settings\customer\g2ax_customer_downloadhelper_win32_x86.exe

============= FINISH: 11:17:31.68 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 28 April 2010 - 01:10 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS and Attach Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 April 2010 - 12:19 PM

Here are the fresh logs. DDS is shown below, attach.txt is added as an attachment. Thanks.


DDS (Ver_10-03-17.01) - NTFSx86
Run by customer at 13:13:59.29 on Thu 04/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.274 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\customer\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Games Bar 1 Toolbar: {bc04b34e-5dd8-465a-a5e0-86f7c11bc009} - c:\program files\games_bar_1\tbGame.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON WorkForce 600] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S7F.tmp" /EF "HKCU"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\customer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tovoyejir - {f482dc18-fc4d-4a31-aa01-98e56ebf2537} - c:\windows\system32\fumupofo.dll
STS: jugezatag: {f482dc18-fc4d-4a31-aa01-98e56ebf2537} - c:\windows\system32\fumupofo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli tudehote.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-12 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-12 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-12 297752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-8-2 87936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2010-1-14 45344]

============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2010-04-23 15:06:13 0 ----a-w- c:\documents and settings\customer\defogger_reenable
2010-04-19 14:40:50 0 d-----w- c:\docume~1\customer\applic~1\E-centives
2010-04-19 14:37:39 230824 ----a-r- c:\windows\system32\cpnprt2.cid
2010-04-19 14:37:37 0 d-----w- c:\windows\Cache
2010-04-19 14:37:34 0 d-----w- c:\program files\Coupons
2010-04-18 16:11:35 0 d-----w- c:\docume~1\customer\applic~1\Unity
2010-04-17 11:40:08 0 d-----w- c:\program files\Conduit
2010-04-17 11:40:07 0 d-----w- c:\program files\Games_Bar_1
2010-03-31 00:53:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-31 00:53:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:53:24 0 d-----w- c:\docume~1\customer\applic~1\SUPERAntiSpyware.com
2010-03-31 00:51:49 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-10 17:18:49 108920 ----a-w- c:\documents and settings\customer\g2ax_customer_downloadhelper_win32_x86.exe

============= FINISH: 13:14:40.01 ===============

Attached Files



#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 29 April 2010 - 01:28 PM

Thanks for the logs. smile.gif

I'd like to get a fresh GMER Log from you. Go ahead and delete GMER.exe off of your computer, then follow the instructions below. And no need to attach the GMER Log, just post it normally.


Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 April 2010 - 07:23 PM

I got a blue screen the first time I tried to run GMER. I will try it again now.

#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 29 April 2010 - 11:42 PM

Ok, let me know what happens. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 30 April 2010 - 06:59 AM

OK, it finlly finished. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-30 05:01:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\customer\LOCALS~1\Temp\pwdoykoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEDB37320]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[160] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 07B22862
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[160] WS2_32.dll!send 71AB4C27 5 Bytes JMP 07B226EE
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[160] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 07B227E0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[160] WS2_32.dll!recv 71AB676F 5 Bytes JMP 07B22726
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[160] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 07B2275E
.text C:\Program Files\Messenger\msmsgs.exe[268] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BF2862
.text C:\Program Files\Messenger\msmsgs.exe[268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BF26EE
.text C:\Program Files\Messenger\msmsgs.exe[268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BF27E0
.text C:\Program Files\Messenger\msmsgs.exe[268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BF2726
.text C:\Program Files\Messenger\msmsgs.exe[268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BF275E
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[432] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FF2862
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[432] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FF26EE
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[432] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FF27E0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[432] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FF2726
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[432] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FF275E
.text C:\WINDOWS\System32\bcmwltry.exe[500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01442862
.text C:\WINDOWS\System32\bcmwltry.exe[500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014426EE
.text C:\WINDOWS\System32\bcmwltry.exe[500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014427E0
.text C:\WINDOWS\System32\bcmwltry.exe[500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01442726
.text C:\WINDOWS\System32\bcmwltry.exe[500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0144275E
.text C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe[1388] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CA2862
.text C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe[1388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CA26EE
.text C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe[1388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CA27E0
.text C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe[1388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CA2726
.text C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe[1388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CA275E
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 07252862
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 072526EE
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 072527E0
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 07252726
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0725275E
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1516] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06A82862
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1516] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06A826EE
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1516] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06A827E0
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1516] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06A82726
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1516] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06A8275E
.text C:\WINDOWS\system32\Ati2evxx.exe[1552] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F22862
.text C:\WINDOWS\system32\Ati2evxx.exe[1552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F226EE
.text C:\WINDOWS\system32\Ati2evxx.exe[1552] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F227E0
.text C:\WINDOWS\system32\Ati2evxx.exe[1552] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F22726
.text C:\WINDOWS\system32\Ati2evxx.exe[1552] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F2275E
.text C:\WINDOWS\Explorer.EXE[1636] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01D72862
.text C:\WINDOWS\Explorer.EXE[1636] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01D726EE
.text C:\WINDOWS\Explorer.EXE[1636] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01D727E0
.text C:\WINDOWS\Explorer.EXE[1636] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01D72726
.text C:\WINDOWS\Explorer.EXE[1636] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01D7275E
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE[1760] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D82862
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE[1760] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D826EE
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE[1760] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D827E0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE[1760] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D82726
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE[1760] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D8275E
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1868] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06CC2862
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1868] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06CC26EE
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1868] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06CC27E0
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1868] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06CC2726
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1868] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06CC275E
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1928] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06AC2862
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1928] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06AC26EE
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1928] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06AC27E0
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1928] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06AC2726
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1928] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06AC275E
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2080] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02D02862
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2080] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02D026EE
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2080] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02D027E0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2080] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02D02726
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2080] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02D0275E
.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[2092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01D52862
.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[2092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01D526EE
.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[2092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01D527E0
.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[2092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01D52726
.text C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe[2092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01D5275E
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2180] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06A82862
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2180] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06A826EE
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2180] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06A827E0
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2180] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06A82726
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2180] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06A8275E
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2212] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06D72862
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2212] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06D726EE
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2212] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06D727E0
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2212] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06D72726
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2212] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06D7275E
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2280] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B82862
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B826EE
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2280] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B827E0
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2280] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B82726
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2280] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B8275E
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01252862
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012526EE
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012527E0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01252726
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0125275E
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F42862
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F426EE
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F427E0
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F42726
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[2400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F4275E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2824] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00ED2862
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2824] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00ED26EE
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2824] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00ED27E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2824] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00ED2726
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2824] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00ED275E
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2948] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02702862
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2948] WS2_32.dll!send 71AB4C27 5 Bytes JMP 027026EE
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2948] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 027027E0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2948] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02702726
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2948] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0270275E
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012C2862
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012C26EE
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2996] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012C27E0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2996] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012C2726
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012C275E
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3016] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02782862
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3016] WS2_32.dll!send 71AB4C27 5 Bytes JMP 027826EE
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3016] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 027827E0
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3016] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02782726
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[3016] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0278275E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3044] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E42862
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3044] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E426EE
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3044] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E427E0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3044] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E42726
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3044] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E4275E
.text C:\WINDOWS\System32\alg.exe[3412] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
.text C:\WINDOWS\System32\alg.exe[3412] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
.text C:\WINDOWS\System32\alg.exe[3412] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
.text C:\WINDOWS\System32\alg.exe[3412] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
.text C:\WINDOWS\System32\alg.exe[3412] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3444] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 07F72862
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3444] WS2_32.dll!send 71AB4C27 5 Bytes JMP 07F726EE
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3444] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 07F727E0
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3444] WS2_32.dll!recv 71AB676F 5 Bytes JMP 07F72726
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3444] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 07F7275E
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01182862
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011826EE
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4036] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011827E0
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4036] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01182726
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4036] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0118275E
.text C:\WINDOWS\system32\msdtc.exe[4680] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE2862
.text C:\WINDOWS\system32\msdtc.exe[4680] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DE26EE
.text C:\WINDOWS\system32\msdtc.exe[4680] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DE27E0
.text C:\WINDOWS\system32\msdtc.exe[4680] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE2726
.text C:\WINDOWS\system32\msdtc.exe[4680] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DE275E
.text C:\WINDOWS\System32\vssvc.exe[5196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CE2862
.text C:\WINDOWS\System32\vssvc.exe[5196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CE26EE
.text C:\WINDOWS\System32\vssvc.exe[5196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CE27E0
.text C:\WINDOWS\System32\vssvc.exe[5196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CE2726
.text C:\WINDOWS\System32\vssvc.exe[5196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CE275E
.text C:\WINDOWS\system32\dllhost.exe[5684] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F62862
.text C:\WINDOWS\system32\dllhost.exe[5684] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F626EE
.text C:\WINDOWS\system32\dllhost.exe[5684] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F627E0
.text C:\WINDOWS\system32\dllhost.exe[5684] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F62726
.text C:\WINDOWS\system32\dllhost.exe[5684] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F6275E

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 870DDC98
Device \Driver\atapi \Device\Ide\IdePort0 870DDC98
Device \Driver\atapi \Device\Ide\IdePort1 870DDC98
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 870DDC98

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 30 April 2010 - 02:18 PM

Step # 1 Download and Run mbr.exe

Please download mbr.exe by GMER to your Desktop.

Next, click Start-->Run
Once the Run box is open, type "mbr -f"

Once mbr.exe is done running, post back the resulting log in your next post.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 30 April 2010 - 09:38 PM

I downloaded mbr.exe to the desktop. When I tried to use Start - Run - mbr -f; I get an error box saying that the program cannot be found. I then tried to just double click mbr.exe off of the desktop and this is what the log said:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86efd388
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> 0x863168f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 01 May 2010 - 12:24 PM

Did you put quotes around mbr -f?

If you didn't try running mbr -f again.

click Start-->Run
Once the Run box is open, type "mbr -f"

Once mbr.exe is done running, post back the resulting log in your next post.

Edited by km2357, 01 May 2010 - 12:24 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 01 May 2010 - 09:29 PM

It doesn't matter if I use quotes or not. I get a message saying it can't find the program and to make sure I typed the pat correctly.

#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 01 May 2010 - 10:02 PM

Ok, let's try this.

First, copy/move mbr.exe off of the Desktop and into the C:\Windows\System32 folder.

Once the file has been moved/copied, try doing click Start-->Run
Once the Run box is open, type "mbr -f"

Once mbr.exe is done running, post back the resulting log in your next post.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 02 May 2010 - 06:35 AM

I don't know what I am doing wrong. I moved the file into the system32 folder. If I type "mbr -f" with the quotes, then windows says it can't find the file. If I type mbr -f without the quotes, then a dos box pops up for a second, but nothing else happens. No log results appears. Sorry for the problems, I must be doing something wrong.

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:46 PM

Posted 02 May 2010 - 12:23 PM

Hmm, that's strange. That should have worked. Let's check something:

Click Start then Run, once the Run box opens up, type cmd and press enter.

Once the Dos Prompt window opens, type echo %path% in it and press enter. Copy down what it says and then type in exit to close the window.

Post in your next reply what you wrote down after typing in echo %path%

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 adamdivine

adamdivine
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 03 May 2010 - 06:38 AM

Sorry for the delay in replying, it seems that the redirect starting affecting your website along with google. I could get to any other website except for bleeping computer. I ran a scan with Super AntiSpyware and it found some tracking cookies. After it removed the files, I was able to reboot and get back to this site. Anyway, here are the results:

C:\Program Files\Common Files\Acrsoft\Bin;C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Bitvise Tunnelier;C:\Program Files\Quicktime\QT System\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users