Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect virus


  • Please log in to reply
57 replies to this topic

#1 nomara

nomara

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 08 May 2010 - 10:42 PM

Hello, I have been having a problem with my browser redirecting my google searches to unknown websites. It has been going on for about a week now and it is making it very hard to do research for my classes. I did do a scan with Malwarebytes and it did remove some infections on my computer, but the redirecting problem still exist.

When I get redirected it has this at the beginning of the link 64.111.196.114 and at the end of the link is this Dtdss.sys

Here are my Ark and Attach logsAttached File  Ark.txt   2.49KB   10 downloadsAttached File  Attach.txt   6.78KB   6 downloads

And my DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Angel at 19:28:20.78 on Sat 05/08/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1410 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxebserv.exe
C:\Windows\system32\lxebcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Angel\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Angel\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [BitTorrent DNA] "c:\users\angel\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMAgent] "c:\program files\cyberlink\powercinema for toshiba\PCMAgent.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\powercinema for toshiba\kernel\clml\CLMLSvc.exe"
mRun: [Skytel] Skytel.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\angel\appdata\roaming\micros~1\windows\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\angel\appdata\roaming\mozilla\firefox\profiles\brna7bfy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - MySpace.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FFDS&qry=
FF - component: c:\users\angel\appdata\roaming\mozilla\firefox\profiles\brna7bfy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\angel\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\angel\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-24 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-4-24 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-4-24 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-4-24 233136]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2009-12-10 98984]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 gupdate1ca8b82cc90b607;Google Update Service (gupdate1ca8b82cc90b607);c:\program files\google\update\GoogleUpdate.exe [2010-1-2 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-4-24 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-24 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-24 1141712]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-20 9216]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-4-24 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]

=============== Created Last 30 ================

2010-05-08 01:44:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 01:44:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 04:36:11 0 d-----w- c:\program files\iPod
2010-05-04 04:36:09 0 d-----w- c:\program files\iTunes
2010-05-04 04:30:34 0 d-----w- c:\program files\Bonjour
2010-05-03 21:50:48 0 d-----w- c:\users\angel\appdata\roaming\Malwarebytes
2010-05-03 21:45:38 0 d-----w- c:\programdata\Malwarebytes
2010-05-03 21:45:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 20:43:30 0 d-----w- C:\ComboFix
2010-05-03 06:25:44 0 d-----w- c:\programdata\FrontLine Registry Cleaner
2010-05-03 06:25:39 0 d-----w- c:\program files\Frontline Registry Cleaner
2010-05-02 17:34:38 0 d-sh--w- C:\found.000
2010-05-01 17:31:14 0 d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-04-25 09:01:23 0 d-----w- C:\4cc56b107dab2af3bdc9b7f77c
2010-04-24 23:07:18 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-04-24 23:07:18 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-04-24 23:07:18 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-04-24 23:05:30 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-24 23:05:30 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-24 23:05:30 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-04-24 23:05:26 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-24 23:05:25 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-24 23:05:25 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-24 23:05:25 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-24 23:05:21 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-24 23:05:21 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-24 23:05:15 0 d-----w- c:\users\angel\appdata\roaming\PC Tools
2010-04-24 23:05:15 0 d-----w- c:\programdata\PC Tools
2010-04-24 23:05:15 0 d-----w- c:\program files\Spyware Doctor
2010-04-24 23:05:15 0 d-----w- c:\program files\common files\PC Tools
2010-04-24 23:02:06 0 d-----w- c:\users\angel\appdata\roaming\GetRightToGo
2010-04-23 14:58:43 134 ----a-w- c:\users\angel\Connect To - Shortcut.lnk
2010-04-23 04:24:30 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-23 03:45:14 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-23 03:45:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 03:01:22 598016 ---ha-w- C:\SZKGFS.dat
2010-04-21 08:32:30 0 d-----w- c:\programdata\SITEguard
2010-04-21 08:31:03 0 d-----w- c:\program files\common files\iS3
2010-04-21 08:31:02 0 d-----w- c:\programdata\STOPzilla!
2010-04-21 06:11:01 240640 ----a-w- c:\programdata\bitsigd32.dll
2010-04-21 05:11:03 240640 ----a-w- c:\programdata\bootstr32.dll
2010-04-20 22:10:57 240640 ----a-w- c:\programdata\dmcompos32.dll
2010-04-20 18:55:51 240640 ----a-w- c:\programdata\FM2032.dll
2010-04-20 17:55:49 240640 ----a-w- c:\programdata\fdWSD32.dll
2010-04-20 14:29:49 240640 ----a-w- c:\programdata\dpnlobby32.dll
2010-04-20 09:34:18 240640 ----a-w- c:\programdata\DC26532.dll
2010-04-20 08:34:15 240640 ----a-w- c:\programdata\d3dxof32.dll
2010-04-20 07:34:13 240640 ----a-w- c:\programdata\d3d932.dll
2010-04-20 06:34:12 240640 ----a-w- c:\programdata\d3d10_1core32.dll
2010-04-20 05:34:11 240640 ----a-w- c:\programdata\d3d10level932.dll
2010-04-20 03:34:06 240640 ----a-w- c:\programdata\cryptsvc32.dll
2010-04-20 02:34:03 240640 ----a-w- c:\programdata\corpol32.dll
2010-04-20 01:34:16 240640 ----a-w- c:\programdata\dbgeng32.dll
2010-04-20 00:34:08 240640 ----a-w- c:\programdata\CSVer32.dll
2010-04-19 13:53:59 240640 ----a-w- c:\programdata\gdi3232.dll
2010-04-19 08:40:25 240640 ----a-w- c:\programdata\DivX32.dll
2010-04-19 07:40:23 240640 ----a-w- c:\programdata\dimsroam32.dll
2010-04-19 06:40:28 240640 ----a-w- c:\programdata\dmdskres32.dll
2010-04-19 05:40:20 240640 ----a-w- c:\programdata\DfsShlEx32.dll
2010-04-19 03:40:17 240640 ----a-w- c:\programdata\deskperf32.dll
2010-04-19 02:40:15 240640 ----a-w- c:\programdata\deimg40132.dll
2010-04-19 00:40:16 240640 ----a-w- c:\programdata\deploytk32.dll
2010-04-19 00:10:42 0 d-----w- c:\program files\WinDirStat
2010-04-18 23:40:08 240640 ----a-w- c:\programdata\d3dramp32.dll
2010-04-18 22:01:23 240640 ----a-w- c:\programdata\cfgbkend32.dll
2010-04-18 21:01:32 240640 ----a-w- c:\programdata\comdlg3232.dll
2010-04-18 20:01:58 240640 ----a-w- c:\programdata\devmgr32.dll
2010-04-18 19:55:58 240640 ----a-w- c:\programdata\getuname32.dll
2010-04-18 19:43:29 240640 ----a-w- c:\programdata\dnshc32.dll
2010-04-18 19:38:58 240640 ----a-w- c:\programdata\EpPicPrt32.dll
2010-04-18 17:38:39 240640 ----a-w- c:\programdata\dpnet32.dll
2010-04-12 06:36:46 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-05-04 04:31:24 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-04 04:31:24 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-01 17:30:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 20:43:24 72080 ----a-w- c:\users\angel\g2mdlhlpx.exe
2010-03-28 14:00:23 203776 --sh--w- c:\programdata\unrar.exe
2010-03-28 11:35:08 2229 ----a-w- c:\windows\system32\cd78.vbs
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2009-11-17 17:35:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-22 05:42:58 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-22 18:58:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-11 04:57:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009121020091211\index.dat
2009-10-15 23:30:51 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-24 01:44:17 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2008-12-24 01:44:15 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 19:29:57.20 ===============

Help would be very much appreciated

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 10 May 2010 - 06:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 15 May 2010 - 06:16 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 18 May 2010 - 12:57 PM

Reopened at user's request

----------------------------------------------

Please post new DDS and Gmer logs. Thanks
Posted Image
m0le is a proud member of UNITE

#5 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 19 May 2010 - 06:55 PM

Okay thanks here are the logs

Attached File  ark.txt   2.36KB   6 downloads
Attached File  Attach.txt   13.13KB   6 downloads

DDS (Ver_10-03-17.01) - NTFSx86
Run by Angel at 16:45:07.20 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1081 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxebserv.exe
C:\Windows\system32\lxebcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Angel\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Angel\Desktop\gmer\gmer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Angel\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [BitTorrent DNA] "c:\users\angel\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMAgent] "c:\program files\cyberlink\powercinema for toshiba\PCMAgent.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\powercinema for toshiba\kernel\clml\CLMLSvc.exe"
mRun: [Skytel] Skytel.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro200-s500 series\ezprint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\angel\appdata\roaming\micros~1\windows\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\angel\appdata\roaming\mozilla\firefox\profiles\brna7bfy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - MySpace.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FFDS&qry=
FF - component: c:\users\angel\appdata\roaming\mozilla\firefox\profiles\brna7bfy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\angel\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\users\angel\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-24 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-4-24 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-4-24 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-4-24 233136]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2009-12-10 98984]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 gupdate1ca8b82cc90b607;Google Update Service (gupdate1ca8b82cc90b607);c:\program files\google\update\GoogleUpdate.exe [2010-1-2 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-4-24 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-24 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-24 1141712]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-20 9216]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-4-24 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]

=============== Created Last 30 ================

2010-05-11 23:05:43 327735955 ----a-w- c:\windows\MEMORY.DMP
2010-05-11 00:56:15 0 d-----w- c:\users\angel\appdata\roaming\Data Protection
2010-05-08 01:44:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 01:44:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 04:36:11 0 d-----w- c:\program files\iPod
2010-05-04 04:36:09 0 d-----w- c:\program files\iTunes
2010-05-04 04:30:34 0 d-----w- c:\program files\Bonjour
2010-05-03 21:50:48 0 d-----w- c:\users\angel\appdata\roaming\Malwarebytes
2010-05-03 21:45:38 0 d-----w- c:\programdata\Malwarebytes
2010-05-03 21:45:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 20:43:30 0 d-----w- C:\ComboFix
2010-05-03 06:25:44 0 d-----w- c:\programdata\FrontLine Registry Cleaner
2010-05-03 06:25:39 0 d-----w- c:\program files\Frontline Registry Cleaner
2010-05-02 17:34:38 0 d-sh--w- C:\found.000
2010-05-01 17:31:14 0 d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-04-25 09:01:23 0 d-----w- C:\4cc56b107dab2af3bdc9b7f77c
2010-04-24 23:07:18 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-04-24 23:07:18 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-04-24 23:07:18 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-04-24 23:05:30 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-24 23:05:30 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-24 23:05:30 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-04-24 23:05:26 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-24 23:05:25 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-24 23:05:25 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-24 23:05:25 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-24 23:05:21 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-24 23:05:21 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-24 23:05:15 0 d-----w- c:\users\angel\appdata\roaming\PC Tools
2010-04-24 23:05:15 0 d-----w- c:\programdata\PC Tools
2010-04-24 23:05:15 0 d-----w- c:\program files\Spyware Doctor
2010-04-24 23:05:15 0 d-----w- c:\program files\common files\PC Tools
2010-04-24 23:02:06 0 d-----w- c:\users\angel\appdata\roaming\GetRightToGo
2010-04-23 14:58:43 134 ----a-w- c:\users\angel\Connect To - Shortcut.lnk
2010-04-23 04:24:30 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-23 03:45:14 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-23 03:45:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 03:01:22 598016 ---ha-w- C:\SZKGFS.dat
2010-04-21 08:32:30 0 d-----w- c:\programdata\SITEguard
2010-04-21 08:31:03 0 d-----w- c:\program files\common files\iS3
2010-04-21 08:31:02 0 d-----w- c:\programdata\STOPzilla!
2010-04-21 06:11:01 240640 ----a-w- c:\programdata\bitsigd32.dll
2010-04-21 05:11:03 240640 ----a-w- c:\programdata\bootstr32.dll
2010-04-20 22:10:57 240640 ----a-w- c:\programdata\dmcompos32.dll
2010-04-20 18:55:51 240640 ----a-w- c:\programdata\FM2032.dll
2010-04-20 17:55:49 240640 ----a-w- c:\programdata\fdWSD32.dll
2010-04-20 14:29:49 240640 ----a-w- c:\programdata\dpnlobby32.dll
2010-04-20 09:34:18 240640 ----a-w- c:\programdata\DC26532.dll
2010-04-20 08:34:15 240640 ----a-w- c:\programdata\d3dxof32.dll
2010-04-20 07:34:13 240640 ----a-w- c:\programdata\d3d932.dll
2010-04-20 06:34:12 240640 ----a-w- c:\programdata\d3d10_1core32.dll
2010-04-20 05:34:11 240640 ----a-w- c:\programdata\d3d10level932.dll
2010-04-20 03:34:06 240640 ----a-w- c:\programdata\cryptsvc32.dll
2010-04-20 02:34:03 240640 ----a-w- c:\programdata\corpol32.dll
2010-04-20 01:34:16 240640 ----a-w- c:\programdata\dbgeng32.dll
2010-04-20 00:34:08 240640 ----a-w- c:\programdata\CSVer32.dll

==================== Find3M ====================

2010-05-11 08:37:37 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-11 08:37:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-11 08:37:34 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-19 13:53:59 240640 ----a-w- c:\programdata\gdi3232.dll
2010-04-19 08:40:25 240640 ----a-w- c:\programdata\DivX32.dll
2010-04-19 07:40:23 240640 ----a-w- c:\programdata\dimsroam32.dll
2010-04-19 06:40:28 240640 ----a-w- c:\programdata\dmdskres32.dll
2010-04-19 05:40:20 240640 ----a-w- c:\programdata\DfsShlEx32.dll
2010-04-19 03:40:17 240640 ----a-w- c:\programdata\deskperf32.dll
2010-04-19 02:40:15 240640 ----a-w- c:\programdata\deimg40132.dll
2010-04-19 00:40:16 240640 ----a-w- c:\programdata\deploytk32.dll
2010-04-18 23:40:08 240640 ----a-w- c:\programdata\d3dramp32.dll
2010-04-18 22:01:23 240640 ----a-w- c:\programdata\cfgbkend32.dll
2010-04-18 21:01:32 240640 ----a-w- c:\programdata\comdlg3232.dll
2010-04-18 20:01:58 240640 ----a-w- c:\programdata\devmgr32.dll
2010-04-18 19:55:58 240640 ----a-w- c:\programdata\getuname32.dll
2010-04-18 19:43:29 240640 ----a-w- c:\programdata\dnshc32.dll
2010-04-18 19:38:58 240640 ----a-w- c:\programdata\EpPicPrt32.dll
2010-04-18 17:38:39 240640 ----a-w- c:\programdata\dpnet32.dll
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 20:43:24 72080 ----a-w- c:\users\angel\g2mdlhlpx.exe
2010-03-28 14:00:23 203776 --sh--w- c:\programdata\unrar.exe
2010-03-28 11:35:08 2229 ----a-w- c:\windows\system32\cd78.vbs
2009-11-17 17:35:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-22 05:42:58 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-22 18:58:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-11 04:57:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009121020091211\index.dat
2009-10-15 23:30:51 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-24 01:44:17 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2008-12-24 01:44:15 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 16:45:56.17 ===============

Also for some reason 3 .exe files have appeared on my desktop one is spam001.exe, spam003.exe and troj000.exe I have no idea where they came from or if they have anything to do with the problem

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 19 May 2010 - 07:09 PM

Something's definitely going on.


The logs aren't showing the way though so please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 20 May 2010 - 03:08 AM

I can't run combofix for some reason. Every time it loads and scans my computer, but after about 5 minutes my computer freezes and I have to restart it.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 20 May 2010 - 01:00 PM

Okay, please run the Rkill program first

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now try running Combofix again
Posted Image
m0le is a proud member of UNITE

#9 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 21 May 2010 - 07:24 AM

Here is the Rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Angel on 05/20/2010 at 21:17:08.


Processes terminated by Rkill or while it was running:


C:\Users\Angel\Program Files\DNA\btdna.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Angel\Desktop\rkill.scr

I tried to run combo fix again and it ran for about 3 hours and still no log then I left it overnight to see if it would make a log, but when I got up this morning my computer was shutdown. Also it seems when ever I run combo fix it tells me that one of my files is corrupted and that I need to run a disk check and even after I do a disk check it still won't run.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 21 May 2010 - 04:01 PM

In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.

First

Please download ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Posted Image
m0le is a proud member of UNITE

#11 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 22 May 2010 - 05:59 PM

Now it seems like I have another problem. It seems that Antispyware Soft has installed itself onto my computer and it is preventing me from burning the file to the cd. It tells me that the application cannot be executed. The file isoburnner.exe is infected. Then it asks me if I want to activate the antivirus software.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 22 May 2010 - 06:11 PM

Sorry, yes, there's no way the malware will be letting you do that. You should burn this program to a CD using a clean machine.

Then run it on the infected machine.
Posted Image
m0le is a proud member of UNITE

#13 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 22 May 2010 - 06:20 PM

Okay then I will just have to wait until Monday so that I can borrow my friends computer.

#14 nomara

nomara
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 22 May 2010 - 07:48 PM

Here is the OTL file I can't copy and paste so I attached it. Attached File  OTL.Txt   109.85KB   9 downloads

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:01 PM

Posted 22 May 2010 - 08:24 PM

Run OTLPE and paste this into the Custom Scans/Fixes box and click Run Fix

CODE
:OTL
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin File not found
[2009/10/16 16:14:30 | 000,009,949 | ---- | M] () -- C:\Users\Angel\AppData\Roaming\Mozilla\Firefox\Profiles\brna7bfy.default\searchplugins\mywebsearch.xml
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKU\Angel_ON_C..\Run: [ykowljja] C:\Users\Angel\AppData\Local\aishlsjre\hhbxrmwtssd.exe ()
:Files
C:\Program Files\MyWebSearch
C:\Users\Angel\AppData\Local\aishlsjre
C:\Users\Angel\Desktop\troj000.exe
C:\Users\Angel\Desktop\spam003.exe
C:\Users\Angel\Desktop\spam001.exe
C:\Users\Angel\AppData\Local\c7vdif
C:\Users\Angel\AppData\Local\53YQ5yXeP
C:\Users\Angel\AppData\Local\118F261KX
C:\Users\Angel\AppData\Local\760y

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users