Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects from google search and "Survey" links (server2.mediajmp.com)


  • Please log in to reply
2 replies to this topic

#1 farhans

farhans

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 23 May 2010 - 04:29 PM

Sorry about coping the thread title from another user, but I am having exactly the same problem! (as this thread: http://www.bleepingcomputer.com/forums/topic285720.html)

I have tried malwarebytes and ad-aware several times but nothing.

While I am browsing, a new tab would open randomly asking me to fill in surveys, and it is usually from server2.mediajmp.com.

DDS Report:


DDS (Ver_10-03-17.01) - NTFSx86
Run by tom at 21:32:18.78 on 23/05/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.44.1033.18.1790.538 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\TP-LINK\QSS\jswtrayutil.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\TP-LINK\QSS\HwBtnSvc.exe
C:\Program Files\TP-LINK\QSS\HwBtnDetector.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\defrag.exe
C:\Windows\system32\DfrgNtfs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashGet\flashget.exe
C:\Users\tom\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\programdata\partner\partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\tom\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [{AE241805-B904-668D-5DA9-C61B02C5780F}] c:\users\tom\appdata\roaming\pymu\amwai.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [jswtrayutil] "c:\program files\tp-link\qss\jswtrayutil.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\tom\appdata\roaming\mozilla\firefox\profiles\xsd8jh6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\tom\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-21 64288]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2010-4-15 20384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-4-30 269448]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
R2 JSWHwBtn;JSW Hardware Button Service;c:\program files\tp-link\qss\HwBtnSvc.exe [2010-4-15 16384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R3 arusb_lh;TP-LINK TL-WN821N 11N Wireless device driver;c:\windows\system32\drivers\arusb_lh.sys [2010-4-15 437760]
R3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2007-4-12 34136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-4-30 43552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-21 136176]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2010-4-30 573440]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2010-4-30 15616]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\tp-link\qss\jswpsapi.exe [2010-4-15 954368]
S4 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
S4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
S4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]

=============== Created Last 30 ================

2010-05-23 17:03:42 64112 ----a-w- c:\windows\ATC___LH.TTF
2010-05-23 16:21:29 0 d-----w- c:\windows\font
2010-05-23 14:58:48 0 d-----w- c:\program files\Bonjour
2010-05-23 14:56:33 0 ----a-w- c:\users\tom\appdata\roaming\wklnhst.dat
2010-05-23 14:53:54 0 d-----w- c:\program files\common files\Macrovision Shared
2010-05-23 14:09:48 0 d-----w- c:\programdata\FLEXnet
2010-05-23 11:39:23 0 d-----w- c:\program files\Messenger Plus! Live
2010-05-22 13:30:32 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-22 13:30:23 0 d-----w- c:\users\tom\appdata\roaming\SUPERAntiSpyware.com
2010-05-22 13:30:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-22 13:29:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-21 22:28:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-21 21:52:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-21 21:52:27 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-21 21:50:11 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-21 21:49:50 0 d-----w- c:\programdata\Lavasoft
2010-05-21 21:49:50 0 d-----w- c:\program files\Lavasoft
2010-05-21 15:26:38 0 d-----w- c:\program files\Trend Micro
2010-05-15 09:44:09 0 d-----w- C:\Downloads
2010-05-15 09:43:08 0 d-----w- c:\users\tom\appdata\roaming\FlashGet
2010-05-15 09:43:02 0 d-----w- c:\program files\FlashGet
2010-05-15 01:32:03 0 d-----w- c:\program files\common files\DVDVideoSoft
2010-05-14 21:27:58 411480 ----a-w- c:\windows\system32\tsccvid.dll
2010-05-14 21:27:57 0 d-----w- c:\windows\system32\QuickTime
2010-05-14 21:27:30 0 d-----w- c:\program files\common files\TechSmith Shared
2010-05-14 21:27:28 0 d-----w- c:\programdata\TechSmith
2010-05-14 20:24:52 0 d-----w- c:\program files\Vstplugins
2010-05-14 20:24:50 0 d-----w- c:\programdata\Sony
2010-05-14 20:24:47 0 d-----w- c:\program files\Sony
2010-05-14 20:24:18 0 d-----w- c:\program files\Sony Setup
2010-05-13 21:52:34 0 d-sh--w- c:\users\tom\appdata\roaming\lowsec
2010-05-13 21:30:50 574 ----a-w- c:\users\tom\trvfwsy.exe
2010-05-13 21:25:19 61952 ----a-w- c:\windows\system32\msihost.exe
2010-05-13 21:25:17 0 ----a-w- c:\users\tom\juyyrlbl.exe
2010-05-13 18:43:08 0 d-----w- c:\users\tom\appdata\roaming\Malwarebytes
2010-05-13 18:42:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 18:42:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 18:42:53 0 d-----w- c:\programdata\Malwarebytes
2010-05-13 18:42:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 10:48:38 0 d-----w- c:\program files\Combined Community Codec Pack
2010-05-08 17:29:06 38 ----a-w- c:\windows\avisplitter.ini
2010-05-08 17:29:06 165376 begin_of_the_skype_highlighting              06 165376      end_of_the_skype_highlighting ----a-w- c:\windows\system32\unrar.dll
2010-05-08 17:29:05 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-05-08 17:29:05 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-05-08 17:29:05 414 ----a-w- c:\windows\system32\lame_acm.xml
2010-05-08 17:29:05 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-05-08 17:29:05 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-05-08 17:29:05 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-05-08 17:29:03 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-08 17:29:03 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-05-08 17:29:02 0 d-----w- c:\program files\K-Lite Codec Pack
2010-05-06 23:04:47 0 d-----w- c:\program files\Photoshop
2010-05-03 22:00:04 0 d-----w- c:\programdata\RoboForm
2010-05-03 21:59:48 0 d-----w- c:\program files\Siber Systems
2010-05-01 09:14:37 0 d-----w- c:\program files\JDownloader
2010-05-01 09:14:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-30 23:13:12 0 d-----w- c:\program files\VideoLAN
2010-04-30 19:49:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-30 01:45:57 36921 ------w- c:\windows\system32\hcwutl32_priv.dll
2010-04-30 01:45:20 35344 ----a-w- c:\windows\Irremote.ini
2010-04-30 01:45:18 0 d-----w- c:\program files\WinTV
2010-04-30 01:44:40 831554 ----a-w- c:\windows\system32\hcwtvwnd.dll
2010-04-30 01:44:30 10647 ----a-w- c:\windows\HCWPNP.INI
2010-04-30 01:43:05 573440 ----a-w- c:\windows\system32\drivers\hcw95bda.sys
2010-04-30 01:43:05 15616 ----a-w- c:\windows\system32\hcw95rc.sys
2010-04-30 01:43:05 15616 ----a-w- c:\windows\system32\drivers\hcw95rc.sys
2010-04-30 01:43:01 0 d-----w- C:\Hauppauge
2010-04-30 01:31:45 0 d-----w- C:\tmf
2010-04-29 00:48:40 0 d-----w- c:\program files\Microsoft LifeCam
2010-04-29 00:48:02 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2010-04-29 00:48:02 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-04-29 00:48:02 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-04-29 00:48:02 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-04-29 00:48:02 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-04-29 00:48:02 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2010-04-29 00:47:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-04-27 20:10:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-04-25 19:22:47 0 d-----w- c:\program files\SopCast
2010-04-25 19:02:10 0 d-----w- c:\programdata\WinZip
2010-04-25 08:22:05 0 d-----w- c:\program files\BitLord
2010-04-25 06:04:07 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part14.rar
2010-04-25 04:47:03 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part13.rar
2010-04-25 03:40:12 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part12.rar
2010-04-24 21:42:10 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part11.rar
2010-04-24 20:26:41 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part10.rar
2010-04-24 06:40:03 209715200 ----a-w- C:\Home.Alone.1990.HD.720p.DD5.1-Sting2324.part09.rar

==================== Find3M ====================

2010-05-23 17:00:39 64112 ----a-w- c:\windows\fonts\ATC___LH_0.TTF
2010-05-23 17:00:39 64112 ----a-w- c:\windows\fonts\ATC___LH.TTF
2010-04-30 01:44:09 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-04-30 01:44:09 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-30 01:43:55 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-04 18:08:30 110648 ----a-w- c:\windows\system32\hcwi2c32.dll
2010-03-04 18:07:16 323640 ----a-w- c:\windows\system32\hcwpnp32.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-10-11 07:35:33 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-17 00:51:26 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-02-17 00:51:26 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-02-17 00:51:26 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:33:22.10 ===============

Edited by farhans, 23 May 2010 - 04:44 PM.


BC AdBot (Login to Remove)

 


#2 farhans

farhans
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 23 May 2010 - 04:41 PM

Whenever I try to scan using gmer I always get the blue screen.

However, I noticed when I start gmer up and before I run scan, I get 4 entries:



And now, just as I was typing this, a new tab opened and I was redirected to: http://optiar.com/

Edited by farhans, 23 May 2010 - 04:50 PM.


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:04 AM

Posted 23 May 2010 - 04:54 PM

Hello farhans

Welcome to BleepingComputer smile.gif
========================
One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users