Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack (atypical)


  • This topic is locked This topic is locked
5 replies to this topic

#1 treehouse916

treehouse916

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 23 May 2010 - 10:32 AM

Hello!

My wife started having some unusual browser hijacks over the last two days (she uses the latest version of Firefox). Rather than coming up with the standard fare (fake antivirus messages, ransomware, etc.) they are pop-ups for websites that are similar to ones that she searches for or visits frequently - news blogs, crafting sites etc., but they are obviously bad news. I've tried a number of different things.

1) Updated and ran malwarebytes multiple times (strangely, it keeps on believing it needs to update, every time it loads. unsure if this is a symptom or not): sometimes this discovers and eliminates 1 or more trojan downloaders, other times it does not.

2) Updated and ran avast multiple times: again, it occasionally finds things, most of the time not. Avast's web shield also blocks about 50% of the randomly opening pop-ups

3) Installed and ran HijackThis!: I tried this after I noticed an odd file in Startup that wasn't being spotted by malwarebytes or avast - ylzoe.exe. HijackThis could not remove it, so I FileAssassinated it through MBAM.

4) Tried a system restore, which failed. (uh oh)

5) Installed and ran Spybot S&D: like MBAM and avast, it found a couple of things and removed them.

6) Tried running Windows Update - the site is blank as if it is down.

7) Disabled all add-ons in Firefox. There was a Java extension running with known security vulnerabilities, but disabling it had no noticeable effect.

8) Before posting, I looked for other similar cases that were reported here, and noticed some similarities to rootkit infections (she's already had one, which I only got rid of by completely wiping her hard drive and starting over with a fresh build). So I ran a RootRepeal report, which found things. I will refrain from posting the log since this forum says 'no logs', and let someone direct me to where I should post it (if at all). I can also post a fresh HJ log, but it isn't finding the mystery items anymore.

Computer is running Windows XP Professional (SP 3), and the browser in question is Firefox v 3.6.3. Let me know if you need any other information. I really appreciate any help you can offer - I'm stumped!

Edited by treehouse916, 23 May 2010 - 10:34 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 23 May 2010 - 02:56 PM

Hello ..
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now please rerun Rootrepeal and post the SAS and RR logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 treehouse916

treehouse916
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 24 May 2010 - 07:06 PM

Thank you for your response!

I followed your directions with ATFCleaner and a full scan of SUPERAntiVirus - the latter didn't find anything (13 hour run-time in Safe Mode, holy crap!)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/24/2010 at 06:08 AM

Application Version : 4.37.1000

Core Rules Database Version : 4974
Trace Rules Database Version: 2786

Scan type : Complete Scan
Total Scan Time : 13:35:33

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 6734
Registry threats detected : 0
File items scanned : 83253
File threats detected : 0


Here is the new RootRepeal log. Some more information about this system - I have a secondary drive on it (F:), which has its own copy of Windows XP Pro installed. I also have Comodo Firewall running - I'm comfortable removing either or both and re-running RR if it will help with the process of elimination.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/05/24 18:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E35000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6F35000 Size: 49152 File Visible: No Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAAF49000 Size: 361344 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 05-24-10 (18-30-10).txt
Status: Visible to the Windows API, but not on disk.

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&DAD8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0FD6~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~3.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&158D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&541B~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&8BAB~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&E8C5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CB54~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&90C7~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&832C~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&158D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&541B~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&8BAB~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&20E9~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&461A~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F236~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~2.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&4701~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&1278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&3BE2~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&90C7~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D6D4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&AC80~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F53D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&832C~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&20E9~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&6271~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&461A~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F236~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~2.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&4701~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&1278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&90C7~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&3BE2~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D6D4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&AC80~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F53D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&832C~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&6271~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&BCC8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2CC4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CA50~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2B97~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0DC5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&DAD8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0FD6~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~3.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&158D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&541B~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&8BAB~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&E8C5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CB54~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2CC4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CA50~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2B97~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0DC5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&DAD8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~3.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0FD6~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&158D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&541B~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&8BAB~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&E8C5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CB54~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F236~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~2.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&4701~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&1278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&90C7~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&3BE2~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D6D4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&AC80~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F53D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&832C~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&20E9~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&6271~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&BCC8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2CC4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CA50~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2B97~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CB54~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&461A~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F236~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~2.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&4701~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&1278~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&3BE2~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D6D4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&AC80~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&F53D~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&20E9~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&6271~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&BCC8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2CC4~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&CA50~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&2B97~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&DAD8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0FD6~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&D35-~3.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&BCC8~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&461A~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0DC5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&E8C5~1.PDF
Status: Locked to the Windows API!

Path: F:\RECYCLER\S-1-5-21-343818398-179605362-839522115-1003\D&0DC5~1.PDF
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Dc520.xlsx
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc549.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc595.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc625.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc487.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc490.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc495.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc541.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc527.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc485.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc522.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc547.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Downloads\3.5\Dc516.pdf
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Jonathan's DnD Stuff\In the Shadow of Evil\Dc519.xlt
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Jonathan's DnD Stuff\In the Shadow of Evil\Eberron NPC Record.xlsx:Zone.Identifier
Status: Invisible to the Windows API!

Path: F:\Documents and Settings\Jon\My Documents\Jonathan's DnD Stuff\Miscellaneous\Dc557.pdf
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd9bda

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35c7a

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd91b8

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd9840

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35b36

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd909a

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdb06a

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdb302

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd8c60

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad360ea

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad36014

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad3570c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdacec

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd943c

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd9a1c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35c10

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad3564c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd96cc

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad356b0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35d30

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad361b8

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdb648

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35cf0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdaa88

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd9dc0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdae9a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaad35e70

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd93d6

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd95c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xaadf9950

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafd8e32

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd360

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdda84

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd494

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd944

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd5d4

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd708

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd1e0

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc432

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdceb0

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd842

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdcc1e

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdcd60

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc902

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc16a

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc5b4

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc760

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd000

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdcac4

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdd0f6

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafdc2da

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafddaea

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaafddd1e

==EOF==


Edited by treehouse916, 24 May 2010 - 07:06 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 24 May 2010 - 08:41 PM

Hello these files could be dangerous...RECYCLER\S-1-5-21-

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 treehouse916

treehouse916
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 24 May 2010 - 09:42 PM

I posted in that forum.


I've gotta ask before you lock the thread - Erfworld fan, or random naming coincidence?

Thank you again for all your help, sir. :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 24 May 2010 - 09:53 PM

:LOL :thumbsup: never saw that before.. No I made it up on my own. :flowers:

You will be answered soon there and cleaned of this. We need to run specialized tools that we don't use here.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users