Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser searches hijacked - Unknown infection(s)

  • This topic is locked This topic is locked
6 replies to this topic

#1 MyKuL733


  • Members
  • 28 posts
  • Local time:09:31 PM

Posted 05 June 2010 - 02:54 AM

My browsers have recently begun to re-route my searches to other pages, for example : http://www.news-11-today.com/finance-news/...&tid=dcpvus
Other times a new tab will open with a fake alert claiming that I have been infected and need to download something.

I updated and ran Spybot and SuperAntiSpyware. I also have installed McAfee and Microsoft Security Essentials. I still see my search results being hijacked after all those programs found nothing.

When I try to run gmer.exe, my computer restarts.

My DDS.txt file is below, I attached my Attach.txt file from dds.scr

Please let me know if there is something else I need to try in order to diagnose and clean my system.

Thanks in advance

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 0:22:31.43 on Sat 06/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2144 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Mike\Desktop\dds.scr
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7c5c0f58-e061-457d-9033-77307f5ed00c} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: siteadvisor.com\www
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webaccess.atkearney.com/CACHE/stc/2/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\urdtuzyd.default\
FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-3 343920]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKslc11065ea;MpKslc11065ea;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d473c082-3313-41e9-91b4-79826e448bb9}\MpKslc11065ea.sys [2010-6-4 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/12/20 14:39:06];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2010-2-16 1498224]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-1-2 68136]
R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2010-6-3 35696]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-8-6 222528]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-3-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-3-25 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-3-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-6-3 70728]
R2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2010-4-21 1032192]
R2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2009-10-13 470016]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2010-6-3 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-6-3 107896]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-6-3 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-6-3 35584]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-3 91832]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 gupdate1cacb21d7bb091e;Google Update Service (gupdate1cacb21d7bb091e);c:\program files\google\update\GoogleUpdate.exe [2010-3-24 133104]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2010-6-3 44680]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-3 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-3 66600]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2010-06-05 01:11:49 40428 ----a-w- c:\windows\system32\api_hook_list.dat
2010-06-04 06:08:13 60344 ----a-w- c:\windows\system32\HcApi.dll
2010-06-04 06:08:13 225144 ----a-w- c:\windows\system32\HcSql.dll
2010-06-04 06:08:13 20256 ----a-w- c:\windows\system32\HcSvc.dll
2010-06-04 06:08:13 136512 ----a-w- c:\windows\system32\KevlarSigs.dll
2010-06-04 06:08:10 40328 ----a-w- c:\windows\system32\HIPIS0e011b3.dll
2010-06-04 06:07:42 44448 ----a-w- c:\windows\system32\hipqa.dll
2010-06-04 06:07:42 38680 ----a-w- c:\windows\system32\drivers\HIPPSK.sys
2010-06-04 06:07:42 35584 ----a-w- c:\windows\system32\drivers\HIPQK.sys
2010-06-04 06:07:42 25912 ----a-w- c:\windows\system32\mfehida.dll
2010-06-04 06:07:41 107896 ----a-w- c:\windows\system32\drivers\HIPK.sys
2010-06-04 06:07:18 44680 ----a-w- c:\windows\system32\drivers\firehk.sys
2010-06-04 06:07:06 0 d-----w- c:\program files\common files\McAfee Inc
2010-06-04 06:04:03 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-04 06:04:02 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-04 06:04:02 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-04 06:04:01 91832 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-04 06:04:01 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-06-04 06:04:00 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-06-04 06:04:00 343920 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-04 06:03:43 0 d-----w- c:\program files\common files\McAfee
2010-06-04 03:21:48 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-04 02:09:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 06:05:59 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-29 06:05:59 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-05-29 06:05:59 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2010-05-29 06:05:59 28160 ----a-w- c:\windows\system32\irmon.dll
2010-05-29 06:05:58 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-05-29 06:05:58 151552 ----a-w- c:\windows\system32\irftp.exe

==================== Find3M ====================

2010-06-05 01:11:47 17488 ----a-w- c:\windows\gdrv.sys
2010-04-21 09:17:48 87608 ----a-w- c:\docume~1\mike\applic~1\inst.exe
2010-04-21 09:17:48 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-21 09:17:48 47360 ----a-w- c:\docume~1\mike\applic~1\pcouffin.sys
2010-03-13 09:36:50 32550 ----a-w- c:\windows\king-uninstall.exe
2010-03-11 06:03:01 78183 ----a-w- c:\windows\War3Unin.dat
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 0:23:39.17 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:31 AM

Posted 05 June 2010 - 01:52 PM

Good evening. smile.gif

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop - this is important.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Close all open programs as a reboot may be required.
  • Go to Start > Run, copy and paste the following into the text box and hit OK:

    "%userprofile%\desktop\tdsskiller\TDSSKiller.exe" -l report.txt

  • A Command Window will open and the tool will scan and produce a log called report.txt that can be found in the TDSSKiller folder that you unzipped.
  • If the tool prompts for a reboot, please allow it to do so; if it fails to reboot after prompting, reboot manually
Please post the contents of the log, report.txt, in your next reply.

So long, and thanks for all the fish.



#3 MyKuL733

  • Topic Starter

  • Members
  • 28 posts
  • Local time:09:31 PM

Posted 05 June 2010 - 02:28 PM

I ran the utility, and the end result was :
Registry objects infected / cured/ cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

I could not find the log file after allowing the computer to reboot, so I ran the utility again. (Sorry I think I screwed this up). It looks like the log file was actually written to "C:\Documents and Settings\{Current User}" and I overwrote that first scan with the second, clean one. I attached it here anyway, but I don't think I can recover the information in that original log.

Please advise, thanks for your help.

Attached Files

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:31 AM

Posted 05 June 2010 - 08:58 PM

It probably doesn't matter, but if your keyboard drops off tomorrow , don't blame me! crazy.gif

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.



#5 MyKuL733

  • Topic Starter

  • Members
  • 28 posts
  • Local time:09:31 PM

Posted 05 June 2010 - 11:26 PM

I attached the log files (MBAM did not find any threats). I have not observed any of my searches being hijacked since running TDSSKiller, which is certainly encouraging.

Should I try to run gmer.exe again (it previously caused my computer to restart every time I tried)?

Attached Files

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:31 AM

Posted 06 June 2010 - 05:46 PM

Good evening. smile.gif

Give GMER a try and see what happens:

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log(s) into your next reply. The Preview option on the forum may show the whole log(s) being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.



#7 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:31 AM

Posted 14 June 2010 - 01:43 PM

As there has been no response for some time this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users