Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google links redirecting

  • This topic is locked This topic is locked
35 replies to this topic

#1 marduc


  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 16 May 2010 - 12:34 PM

I use Firefox almost exclusively, but I also tried IE after I ran into this problem, and it seems to effect that as well. When I try to open a link in a google search it redirects the results and opens what appears to be random pages not related to my search, or the link I am trying to open, I downloaded Chrome and I cannot even get it to open up the google home page. I see others with very similar problems, but I don't want to assume that what their problem or what their fix is is going to be the same for me. Let me post my logs/info and we can go from there.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 12:25:06.84 on Sun 05/16/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2549 [GMT -4:00]

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesLavasoftAd-AwareAAWService.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe
C:Program FilesLogitechQuickCamQuickcam.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [LogitechCommunicationsManager] "c:program filescommon fileslogishrdlcommgrCommunications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:program fileslogitechquickcamQuickcam.exe" /hide
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [MARTUCCIEPSON Stylus CX4200 Series] c:windowssystem32spooldriversw32x863e_fatiaea.exe /p37 "martucciEPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
mRun: [EnableDCOM] N
mRun: [Six Engine] "c:program filesasusepu-4 engineFourEngine.exe" -b
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe" MSRun
mRunServices: [Secure Driver] c:docume~1tomlocals~1tempmjf13.exe
dRunOnce: [WUAppSetup] c:program filescommon fileslogishrdWUApp32.exe -v 0x046d -p 0x08d9 -f video -m logitech -d 11.80.1048.0
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {44C7A45A-1310-42A4-AE43-7F15EA1C4CF6} =,
TCP: {9A315B95-2D2D-4CB8-B875-583CE8C08905} =,
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32wpdshserviceobj.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1tomapplic~1mozillafirefoxprofilesi8rppafi.default
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - truec:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-5-16 64288]
R1 BIOS;BIOS;c:windowssystem32driversBIOS.sys [2008-9-5 13696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-2-4 1291544]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:windowssystem32driversRtNdPt5x.sys [2009-12-3 22016]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:windowssystem32driversManyCam.sys [2008-1-14 21632]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:windowssystem32driversviahduaa.sys [2009-11-20 1381632]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-5-16 135664]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:windowssystem32driversRTLTEAMING.SYS [2009-12-3 25984]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:windowssystem32driversRTLVLAN.SYS [2009-12-3 17408]

=============== Created Last 30 ================

2010-05-16 16:19:21 176 ----a-w- c:documents and settingstomdefogger_reenable
2010-05-16 15:52:11 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-05-16 15:43:07 411368 ----a-w- c:windowssystem32deployJava1.dll
2010-05-16 15:14:46 15944 ----a-w- c:windowssystem32driverbleepmanpro35.sys
2010-05-16 15:14:30 0 d-----w- c:docume~1alluse~1applic~1Hitman Pro
2010-05-16 15:14:28 0 d-----w- c:program filebleepman Pro 3.5
2010-05-16 15:02:54 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-05-16 15:02:52 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-05-16 14:55:01 0 dc-h--w- c:docume~1alluse~1applic~1{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 14:54:50 0 d-----w- c:program filesLavasoft
2010-05-16 14:41:36 0 d-----w- c:docume~1tomapplic~1Malwarebytes
2010-05-16 14:41:27 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-05-16 14:41:26 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-05-16 14:41:26 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-16 14:41:26 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-05-15 23:21:19 0 d-----w- c:docume~1alluse~1applic~1Artist Colony
2010-05-15 20:50:10 0 d-----w- c:docume~1alluse~1applic~1Buried In Time
2010-05-11 17:30:31 38400 ----a-w- c:windowssystem32atiapfxx.blb
2010-05-11 17:30:31 143360 ----a-w- c:windowssystem32atiapfxx.exe
2010-05-06 10:23:42 0 d-----w- c:docume~1tomapplic~1Ubisoft
2010-04-27 23:38:47 0 d-----w- c:docume~1alluse~1applic~1Muzzy Lane Software
2010-04-21 02:32:02 0 d-----w- c:docume~1tomapplic~1AltSpace Group
2010-04-21 02:32:02 0 d-----w- c:docume~1alluse~1applic~1AltSpace Group

==================== Find3M ====================

2010-04-07 02:42:04 4687872 ----a-w- c:windowssystem32driversati2mtag.sys
2010-04-07 02:02:28 45056 ----a-w- c:windowssystem32aticalrt.dll
2010-04-07 02:02:16 45056 ----a-w- c:windowssystem32aticalcl.dll
2010-04-07 02:01:28 311296 ----a-w- c:windowssystem32atiiiexx.dll
2010-04-07 02:00:26 3981312 ----a-w- c:windowssystem32aticaldd.dll
2010-04-07 01:52:16 14356480 ----a-w- c:windowssystem32atioglxx.dll
2010-04-07 01:46:42 446464 ----a-w- c:windowssystem32ATIDEMGX.dll
2010-04-07 01:45:46 300544 ----a-w- c:windowssystem32ati2dvag.dll
2010-04-07 01:41:38 3620288 ----a-w- c:windowssystem32ati3duag.dll
2010-04-07 01:31:00 208896 ----a-w- c:windowssystem32atipdlxx.dll
2010-04-07 01:30:44 155648 ----a-w- c:windowssystem32Oemdspif.dll
2010-04-07 01:30:32 26112 ----a-w- c:windowssystem32Ati2mdxx.exe
2010-04-07 01:30:24 43520 ----a-w- c:windowssystem32ati2edxx.dll
2010-04-07 01:30:10 159744 ----a-w- c:windowssystem32ati2evxx.dll
2010-04-07 01:28:56 602112 ----a-w- c:windowssystem32ati2evxx.exe
2010-04-07 01:28:06 2220928 ----a-w- c:windowssystem32ativvaxx.dll
2010-04-07 01:27:40 887724 ----a-w- c:windowssystem32ativva6x.dat
2010-04-07 01:27:34 53248 ----a-w- c:windowssystem32ATIDDC.DLL
2010-04-07 01:23:14 585728 ----a-w- c:windowssystem32atikvmag.dll
2010-04-07 01:21:52 393216 ----a-w- c:windowssystem32atiok3x2.dll
2010-04-07 01:21:20 184320 ----a-w- c:windowssystem32atiadlxx.dll
2010-04-07 01:20:54 17408 ----a-w- c:windowssystem32atitvo32.dll
2010-04-07 01:15:22 638976 ----a-w- c:windowssystem32ati2cqag.dll
2010-04-07 01:15:20 53248 ----a-w- c:windowssystem32driversati2erec.dll
2010-04-07 01:14:06 65024 ----a-w- c:windowssystem32atimpc32.dll
2010-04-07 01:14:06 65024 ----a-w- c:windowssystem32amdpcom32.dll
2010-03-17 15:06:30 202234 ----a-w- c:windowssystem32atiicdxx.dat
2008-09-05 23:08:55 16384 --sha-w- c:windowssystem32configsystemprofilecookiesindex.dat
2008-09-05 23:08:55 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5index.dat
2008-09-05 23:08:52 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008090520080906index.dat
2008-09-05 23:08:55 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingstemporary internet filescontent.ie5index.dat

============= FINISH: 12:26:17.89 ===============

I have GMER scanning currently when that is done I will post that as well.

here is the GMER log:

GMER - http://www.gmer.net
Rootkit scan 2010-05-16 14:40:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1TomLOCALS~1Tempkwrcrpoc.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:WINDOWSsystem32DRIVERSati2mtag.sys section is writeable [0xB510F000, 0x235F87, 0xE8000020]
.rsrc C:WINDOWSsystem32DRIVERSwmiacpi.sys entry point in ".rsrc" section [0xBA58DC94]
.text C:WINDOWSsystem32DRIVERSatksgt.sys section is writeable [0xA052B300, 0x3B6D8, 0xE8000020]
.text C:WINDOWSsystem32DRIVERSlirsgt.sys section is writeable [0xBA490300, 0x1BEE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:WINDOWSSystem32svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:WINDOWSSystem32svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:WINDOWSSystem32svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:WINDOWSSystem32svchost.exe[1180] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DF000A
.text C:WINDOWSExplorer.EXE[1948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:WINDOWSExplorer.EXE[1948] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:WINDOWSExplorer.EXE[1948] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0128000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0129000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0127000C

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D04
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D04@p0 C:Program FilesAlcohol SoftAlcohol 120
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D04@ujdew 0x87 0xC5 0x67 0xB7 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D0400000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg0D79C293C1ED61418462E24595C90D0400000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xFD 0x53 0x5B ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0xEF 0xFE 0x19 0xFB ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x60 0x37 0xEC 0x2D ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq1
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq1@hdf12 0x90 0x20 0xFD 0xA7 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4@khjeh 0x35 0xBA 0x8D 0x3A ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA400000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@khjeh 0x49 0x3B 0xE0 0xE7 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40@khjeh 0xC4 0x85 0xAD 0x9E ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf41
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf41@khjeh 0x5B 0x0A 0x7C 0x4A ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf42
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf42@khjeh 0x68 0xA5 0x59 0x25 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf43
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf43@khjeh 0x68 0xA5 0x59 0x25 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D04@p0 C:Program FilesAlcohol SoftAlcohol 120
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D04@ujdew 0x87 0xC5 0x67 0xB7 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D0400000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg0D79C293C1ED61418462E24595C90D0400000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xFD 0x53 0x5B ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0xEF 0xFE 0x19 0xFB ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x60 0x37 0xEC 0x2D ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq1 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq1@hdf12 0x90 0x20 0xFD 0xA7 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4@khjeh 0x35 0xBA 0x8D 0x3A ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA400000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@khjeh 0x49 0x3B 0xE0 0xE7 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40@khjeh 0xC4 0x85 0xAD 0x9E ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf41 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf41@khjeh 0x5B 0x0A 0x7C 0x4A ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf42 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf42@khjeh 0x68 0xA5 0x59 0x25 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf43 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf43@khjeh 0x68 0xA5 0x59 0x25 ...

---- Files - GMER 1.0.15 ----

File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e4210b0459beaeaeed94e4bb6664c27b16b94ab1 10072 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e423380383fa7255d76059d9c743ffa6989de9f1 33306 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42507cdaec255adf3141e0fc20828dee2345977 3331 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e425230595f3510e3eef21363fcf091fc0751fba 10309 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e4262cd631e49f6de7aff0e716d5113ddc4d3a5d 3328 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42745d1e9066a7bc8256fd75a1d221296ca66ab 4184 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e4293d4551614d2f825b44c9f9b07f7bf5e38f10 12616 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e429b5a4b2eee1e8706f6846628c6f7301b930c6 27357 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42a41ac40bc5ca7ef851d1b6e23801d33d2d476 9051 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42abefb5e15bcf2caeee097d4ed48f47b9257d7 34093 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42b2be5c050fce9457fc1cab777880292bc3c0c 7941 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42bb24ea2b1a1674d29b26aacda79078551e01b 14353 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42c368870ff01283765e332c047e5a820461a76 37879 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42d0595d7bc206548e4f9cc188921950804a484 7717 bytes
File C:RECYCLERS-1-5-21-1275210071-1177238915-725345543-1004Dc2522e42f14436bb0445d2db9abd8d7e896cab0589e95 12854 bytes
File C:WINDOWSsystem32DRIVERSwmiacpi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Budapest, 17 May 2010 - 12:17 AM.
Posts merged ~BP

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 05:54 AM

Hi marduc,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Please uninstall both Daemon Tools and Alchol 120 as they interfere with our tools and lead to false positive. You may install them again when we are done.

  3. Reboot at least once after uninstalling the above tools.

  4. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  5. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:


      A log file will open, please post the content of it to your reply.

#3 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 06:26 AM

First off, hi and thank you for your time!!

OK, I have most of these steps done, I was unable to uninstall Alcohol 120%, it returned a pop up message that said "setup unable to validate install", it also is not in the "add remove programs list" is there another way to go about getting rid of it?

I am also now hanging on uninstalling Daemon tools.

Edited by marduc, 17 May 2010 - 06:27 AM.

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 06:40 AM

You should look for the uninstaller inside the Program Files directory of the software.

#5 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 06:47 AM

I had initially tried uninstalling alcohol using the installer in the program folder, and I have tried a second and a third time, same pop up message. I am at their website looking up how to uninstall manually.

daemon tools lite is still hanging on its uninstall, i had canceled, and attempted that again as well

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 06:51 AM

Okey, please do the following:

Go to Start => Run, copy and paste the following and click OK:

sc config sptd start= disabled

Then reboot the computer and proceed with the rest of the first post.

Edited by farbar, 17 May 2010 - 06:52 AM.

#7 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 07:01 AM

Alright, I did not do what you had said, I was already looking for a way to uninstall both Alcohol and Deamon prior to your last post, and since Daemon was freezing on uninstall I updated it to the latest version, and then uninstalled, it went smooth.. then afterwards on a hunch I attempted to uninstall Alcohol, it uninstalled with no problems as well.

I am going to reboot, do you still want me to follow the step in your previous post (sc config sptd start= disabled)? should we confirm that these programs have been successfully uninstalled, or should I just continue and run MBR.exe?

#8 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 07:05 AM

Well done. No harm in doing the last post to make sure.

#9 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 07:12 AM

Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AB0FCEC]<<
kernel: MBR read successfully
user & kernel MBR OK

When I ran it I got the generic microsoft "this program crashed on you" message so I do not know if it completed.

#10 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 07:48 AM

The log is what we needed to see.
  1. Double-click to run TDLfix.exe.
    • Type the following in the open command window, close all other open windows and press Enter:


    • The tool immediately reboots the computer and runs after the boot briefly.
    • Tell me if it rebooted and ran to completion.

  2. After the tool rebooted and finished, run it again, type mbr and press Enter. Please post the log it creates.

#11 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 07:52 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#12 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 07:55 AM

I forgot to tell you that it did reboot and run to completion when I entered wmiacpi. It crashed again with MBR, but we got the log

#13 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:53 PM

Posted 17 May 2010 - 08:01 AM

The rootkit is taken care of. thumbup2.gif
  1. You have the latest version of Java (Java 6 Update 18) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Go to the "Add or Remove Programs" and uninstall the following by clicking on the following entries and selecting "remove":

    Java™ 6 Update 7

  2. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  3. Run a quick scan of an updated Malwarebytes and post the log if it found anything.

  4. Tell me how is your computer running now.

#14 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 08:05 AM

YAY in the rootkit, but I think I have more... new things are going on that started this morning.

I am getting pop ups that appear to be related to IE (which I do not use) occurring spontaneously, phishing filter pop up.. privacy option pop up, and other things.

I am uninstalling java as directed now.

#15 marduc

  • Topic Starter

  • Members
  • 114 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:53 PM

Posted 17 May 2010 - 08:23 AM

ok malwarebytes is done. here is the log:

Malwarebytes' Anti-Malware 1.46

Database version: 4108

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/17/2010 9:21:30 AM
mbam-log-2010-05-17 (09-21-30).txt

Scan type: Quick scan
Objects scanned: 126047
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\2BiKn0Sp.exe (Backdoor.Sinowal) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\2BiKn0Sp.exe (Backdoor.Sinowal) -> No action taken.
C:\Documents and Settings\Tom\Local Settings\Temp\hki201.exe (Backdoor.Sinowal) -> No action taken.

Edit: should I have malwarebytes clean this up or should we go another route?

Edited by marduc, 17 May 2010 - 08:25 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users