Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 emilyxxh23

emilyxxh23

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 22 September 2010 - 08:14 AM

If I search for something on Google, this virus will redirect me to other malicious websites and advertisements. It won't let me see genuine results from Google.
Please can anybody help me !!!
i hope i put all the info needed below smile.gif


DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by emily at 19:20:46.99 on 21/09/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.1977.926 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Packard Bell\Packard Bell Recovery Management\Service\ETService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\PACKARD BELL\SetUpMyPC\SmpSys.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\emily\Desktop\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=1809&s=2&o=vp32&d=0610&m=easynote_mh45
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = about:blank
mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=1809&s=2&o=vp32&d=0610&m=easynote_mh45
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=1809&s=2&o=vp32&d=0610&m=easynote_mh45
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SmpcSys] c:\program files\packard bell\setupmypc\SmpSys.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SmpcSys] c:\program files\packard bell\setupmypc\SmpSys.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\microsoft office\office14\ONBttnIE.dll/105

================= FIREFOX ===================

FF - ProfilePath - c:\users\emily\appdata\roaming\mozilla\firefox\profiles\kxa3twxk.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\emily\appdata\roaming\mozilla\firefox\profiles\kxa3twxk.default\extensions\gb@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\emily\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-9-20 218592]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-9-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-9-12 173104]
R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2010-9-20 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2010-9-20 11776]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-8-31 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-9-12 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100920.001\IDSvix86.sys [2010-9-21 344112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-9-12 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-9-12 339504]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-9-20 2905416]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 ETService;Empowering Technology Service;c:\program files\packard bell\packard bell recovery management\service\ETService.exe [2010-6-12 24576]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-9-12 126392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-9-20 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-9-20 1142224]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-9-18 1956136]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-12 102448]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2010-2-24 494368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-1-8 3658752]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-19 1343400]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]

=============== Created Last 30 ================

2010-09-21 18:18:24 0 ----a-w- c:\users\emily\defogger_reenable
2010-09-20 17:33:50 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-09-20 16:38:06 0 d-----w- c:\windows\system32\appmgmt
2010-09-20 14:43:36 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-09-20 14:43:36 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-09-20 14:43:36 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-09-20 14:43:11 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-20 14:43:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-09-20 14:43:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-09-20 14:43:11 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-09-20 14:42:46 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-09-20 14:42:46 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-09-20 14:42:19 0 d-----w- c:\users\emily\appdata\roaming\PC Tools
2010-09-20 14:42:19 0 d-----w- c:\programdata\PC Tools
2010-09-20 14:42:19 0 d-----w- c:\program files\Spyware Doctor
2010-09-20 14:42:19 0 d-----w- c:\program files\common files\PC Tools
2010-09-19 09:15:53 0 d-----w- c:\windows\system32\Wat
2010-09-19 09:14:38 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-19 09:07:17 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-09-18 16:09:04 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-09-18 16:07:56 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-09-18 15:57:02 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-09-18 15:57:00 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-09-18 15:57:00 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-09-18 15:56:59 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-09-18 15:55:48 132608 ----a-w- c:\windows\system32\cabview.dll
2010-09-18 15:12:52 0 d-----w- c:\users\emily\appdata\roaming\TeamViewer
2010-09-18 15:12:35 0 d-----w- c:\program files\TeamViewer
2010-09-18 09:53:39 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-18 09:53:39 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-18 09:53:39 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-09-18 09:53:39 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-18 09:53:39 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-09-18 09:46:58 20 --sh--w- c:\users\emily\ntuser.ini
2010-09-18 09:46:46 9 --sh--r- C:\wedaolu
2010-09-18 09:46:46 206312 --sh--r- C:\PRAZU
2010-09-18 09:45:47 0 d-sh--w- C:\Recovery
2010-09-18 02:34:54 0 d-----w- c:\windows\Panther
2010-09-18 02:19:11 0 d--h--w- C:\$WINDOWS.~Q
2010-09-18 02:10:27 0 d--h--w- C:\$INPLACE.~TR
2010-09-17 18:40:00 0 d-----w- c:\windows\system32\wbem\Performance
2010-09-17 18:19:47 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-17 17:43:04 761168 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-09-17 17:42:34 0 d-----w- c:\windows\system32\URTTEMP
2010-09-17 17:42:12 0 d-sh--w- c:\windows\Installer
2010-09-17 17:40:48 0 d-----w- c:\windows\system32\RTCOM
2010-09-17 17:40:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-09-17 17:40:32 0 d-----w- c:\program files\Synaptics
2010-09-17 17:40:19 13232 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-09-17 17:40:19 13232 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-09-17 17:40:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-09-17 12:48:56 0 d-----w- c:\programdata\DriverScanner
2010-09-17 12:48:27 0 dc-h--w- c:\programdata\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2010-09-17 12:43:58 0 dc-h--w- c:\programdata\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2010-09-17 12:31:46 0 d-----w- c:\users\emily\appdata\roaming\uniblue
2010-09-17 12:30:55 0 d-----w- c:\program files\Uniblue
2010-09-17 12:30:36 0 dc-h--w- c:\programdata\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2010-09-16 16:48:16 0 d-----w- c:\users\emily\appdata\roaming\FinalTorrent
2010-09-16 16:46:55 212240 ----a-w- c:\windows\system32\Richtx32.ocx
2010-09-16 14:35:39 1890 ----a-w- c:\windows\diagwrn.xml
2010-09-16 14:35:39 1890 ----a-w- c:\windows\diagerr.xml
2010-09-13 23:18:42 0 d-----w- c:\users\emily\appdata\roaming\URSoft
2010-09-11 19:57:00 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-09-11 19:57:00 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-09-11 19:57:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-11 19:56:45 0 d-----w- c:\program files\Symantec
2010-09-11 19:56:45 0 d-----w- c:\program files\common files\Symantec Shared
2010-09-11 19:55:48 0 d-----w- c:\program files\Norton Internet Security
2010-09-11 19:55:08 0 d-----w- c:\programdata\NortonInstaller
2010-09-10 22:38:47 0 d-----w- c:\users\emily\appdata\roaming\Malwarebytes
2010-09-10 22:38:19 0 d-----w- c:\programdata\Malwarebytes
2010-09-06 21:36:52 0 d-sh--w- c:\programdata\SysWoW32
2010-08-27 19:00:42 0 d-----w- c:\program files\Bonjour
2010-08-26 12:28:58 0 d-----w- c:\programdata\DriveHQ

==================== Find3M ====================

2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 04:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 22:02:26 87608 ----a-w- c:\users\emily\appdata\roaming\inst.exe
2010-07-15 22:02:26 47360 ----a-w- c:\users\emily\appdata\roaming\pcouffin.sys
2010-07-10 10:22:58 1486848 ----a-w- c:\windows\bsdsetup.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-01-16 21:42:58 1784424 ----a-w- c:\program files\DSFP-3.21.exe
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:22:50.02 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-22 13:46:13
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\emily\AppData\Local\Temp\kglcapod.sys


---- System - GMER 1.0.15 ----

SSDT 86003088 ZwAlertResumeThread
SSDT 85FF4AC0 ZwAlertThread
SSDT 86015830 ZwAllocateVirtualMemory
SSDT 85F3CC00 ZwAlpcConnectPort
SSDT 860135C8 ZwAssignProcessToJobObject
SSDT 86017128 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x88C792D6]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x88C794C8]
SSDT 85F528D0 ZwCreateSymbolicLinkObject
SSDT 85FD4768 ZwCreateThread
SSDT 85F52918 ZwCreateThreadEx
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x88C796D0]
SSDT 8601B048 ZwDebugActiveProcess
SSDT 86011450 ZwDuplicateObject
SSDT 8601C118 ZwFreeVirtualMemory
SSDT 860103A0 ZwImpersonateAnonymousToken
SSDT 86024B78 ZwImpersonateThread
SSDT 85E94880 ZwLoadDriver
SSDT 85FD76D0 ZwMapViewOfSection
SSDT 85E6B4E8 ZwOpenEvent
SSDT 8600A790 ZwOpenProcess
SSDT 86016758 ZwOpenProcessToken
SSDT 85F46EE8 ZwOpenSection
SSDT 8600AF60 ZwOpenThread
SSDT 86021650 ZwProtectVirtualMemory
SSDT 85FCFD70 ZwResumeThread
SSDT 85FFF7E8 ZwSetContextThread
SSDT 85FF4148 ZwSetInformationProcess
SSDT 85F46EB0 ZwSetSystemInformation
SSDT 860243C0 ZwSuspendProcess
SSDT 8601FCD0 ZwSuspendThread
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x88C78F44]
SSDT 8600F1F8 ZwTerminateThread
SSDT 85FE4E18 ZwUnmapViewOfSection
SSDT 8601B9E0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E273F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0F634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0F898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E271DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E276F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E281A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E87599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EABF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82EB3734 8 Bytes [88, 30, 00, 86, C0, 4A, FF, ...] {MOV [EAX], DH; ADD [ESI-0x7a00b540], AL}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82EB374C 4 Bytes [30, 58, 01, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82EB3758 4 Bytes [00, CC, F3, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82EB37AC 4 Bytes [C8, 35, 01, 86] {ENTER 0x135, 0x86}
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82EB3828 4 Bytes [28, 71, 01, 86]
.text ...
.text peauth.sys AB208C9D 28 Bytes [9E, B5, 83, 0F, 15, 28, BE, ...]
.text peauth.sys AB208CC1 28 Bytes [9E, B5, 83, 0F, 15, 28, BE, ...]
PAGE peauth.sys AB20EB9B 72 Bytes CALL 9AB0921D
PAGE peauth.sys AB20EBEC 19 Bytes [27, 96, BB, 86, FA, D3, 54, ...] {DAA ; XCHG ESI, EAX; MOV EBX, 0x54d3fa86; DEC EBX; ADC EDI, ESP; MOVSD ; SHL BYTE [ESI], 0x64; TEST [ECX-0x6e], BH; JG 0xe}
PAGE peauth.sys AB20EC00 91 Bytes [77, 34, A1, 10, C1, EE, 0E, ...]
PAGE ...
.text ntdll.dll!NtCreateFile 76EC4A30 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtCreateFile + 4 76EC4A34 2 Bytes [87, 71]
.text ntdll.dll!NtDeleteValueKey 76EC4CB0 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtDeleteValueKey + 4 76EC4CB4 2 Bytes [8D, 71]
.text ntdll.dll!NtOpenFile 76EC5140 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtOpenFile + 4 76EC5144 2 Bytes [84, 71]
.text ntdll.dll!NtOpenProcess 76EC51F0 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtOpenProcess + 4 76EC51F4 2 Bytes [8A, 71]
.text ntdll.dll!NtSetValueKey 76EC5C70 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtSetValueKey + 4 76EC5C74 2 Bytes [90, 71]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtCreateFile 76EC4A30 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtCreateFile + 4 76EC4A34 2 Bytes [72, 71] {JB 0x73}
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtDeleteValueKey 76EC4CB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtDeleteValueKey + 4 76EC4CB4 2 Bytes [78, 71] {JS 0x73}
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtOpenFile 76EC5140 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtOpenFile + 4 76EC5144 2 Bytes [6F, 71]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtOpenProcess 76EC51F0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtOpenProcess + 4 76EC51F4 2 Bytes [75, 71] {JNZ 0x73}
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtSetValueKey 76EC5C70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ntdll.dll!NtSetValueKey + 4 76EC5C74 2 Bytes [7B, 71] {JNP 0x73}
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!SendMessageA 758ECC28 6 Bytes JMP 71940F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!PostMessageA 758ED656 6 Bytes JMP 718E0F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!PostMessageW 758F6225 6 Bytes JMP 718B0F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!SendMessageW 758F764C 6 Bytes JMP 71910F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!mouse_event 75908146 6 Bytes JMP 719D0F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!SendInput 75917055 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!SendInput + 4 75917059 2 Bytes [96, 71]
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] USER32.dll!keybd_event 7593EC9B 6 Bytes JMP 719A0F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ADVAPI32.dll!CreateServiceW 76FEDBC1 6 Bytes JMP 71850F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] ADVAPI32.dll!CreateServiceA 77002120 6 Bytes JMP 71880F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] WS2_32.dll!connect 75A648BE 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] WS2_32.dll!WSALookupServiceNextW 75A64C59 6 Bytes JMP 71A30F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] WS2_32.dll!WSALookupServiceEnd 75A65198 6 Bytes JMP 71A00F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] WS2_32.dll!WSALookupServiceBeginW 75A6561A 6 Bytes JMP 71A60F5A
.text C:\Program Files\Uniblue\DriverScanner\DriverScanner.exe[724] WS2_32.dll!listen 75A6A6EA 6 Bytes JMP 71A90F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtCreateFile 76EC4A30 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtCreateFile + 4 76EC4A34 2 Bytes [72, 71] {JB 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtDeleteValueKey 76EC4CB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtDeleteValueKey + 4 76EC4CB4 2 Bytes [78, 71] {JS 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtOpenFile 76EC5140 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtOpenFile + 4 76EC5144 2 Bytes [6F, 71]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtOpenProcess 76EC51F0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtOpenProcess + 4 76EC51F4 2 Bytes [75, 71] {JNZ 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtSetValueKey 76EC5C70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtSetValueKey + 4 76EC5C74 2 Bytes [7B, 71] {JNP 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!CreateServiceW 76FEDBC1 6 Bytes JMP 71850F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!CreateServiceA 77002120 6 Bytes JMP 71880F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] WS2_32.dll!connect 75A648BE 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] WS2_32.dll!WSALookupServiceNextW 75A64C59 6 Bytes JMP 71A30F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] WS2_32.dll!WSALookupServiceEnd 75A65198 6 Bytes JMP 71A00F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] WS2_32.dll!WSALookupServiceBeginW 75A6561A 6 Bytes JMP 71A60F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] WS2_32.dll!listen 75A6A6EA 6 Bytes JMP 71A90F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SendMessageA 758ECC28 6 Bytes JMP 71940F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!PostMessageA 758ED656 6 Bytes JMP 718E0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!PostMessageW 758F6225 6 Bytes JMP 718B0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SendMessageW 758F764C 6 Bytes JMP 71910F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!mouse_event 75908146 6 Bytes JMP 719D0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!TrackPopupMenu 75914B3B 5 Bytes JMP 63DDDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SendInput 75917055 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SendInput + 4 75917059 2 Bytes [96, 71]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!keybd_event 7593EC9B 6 Bytes JMP 719A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtCreateFile 76EC4A30 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtCreateFile + 4 76EC4A34 2 Bytes [72, 71] {JB 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtDeleteValueKey 76EC4CB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtDeleteValueKey + 4 76EC4CB4 2 Bytes [78, 71] {JS 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtOpenFile 76EC5140 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtOpenFile + 4 76EC5144 2 Bytes [6F, 71]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtOpenProcess 76EC51F0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtOpenProcess + 4 76EC51F4 2 Bytes [75, 71] {JNZ 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtSetValueKey 76EC5C70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!NtSetValueKey + 4 76EC5C74 2 Bytes [7B, 71] {JNP 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ntdll.dll!LdrLoadDll 76EDF625 5 Bytes JMP 019F003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ADVAPI32.dll!CreateServiceW 76FEDBC1 6 Bytes JMP 71850F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] ADVAPI32.dll!CreateServiceA 77002120 6 Bytes JMP 71880F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] WS2_32.dll!connect 75A648BE 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] WS2_32.dll!WSALookupServiceNextW 75A64C59 6 Bytes JMP 71A30F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] WS2_32.dll!WSALookupServiceEnd 75A65198 6 Bytes JMP 71A00F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] WS2_32.dll!WSALookupServiceBeginW 75A6561A 6 Bytes JMP 71A60F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] WS2_32.dll!listen 75A6A6EA 6 Bytes JMP 71A90F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!SendMessageA 758ECC28 6 Bytes JMP 71940F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!PostMessageA 758ED656 6 Bytes JMP 718E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!PostMessageW 758F6225 6 Bytes JMP 718B0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!SendMessageW 758F764C 6 Bytes JMP 71910F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!mouse_event 75908146 6 Bytes JMP 719D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!SendInput 75917055 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!SendInput + 4 75917059 2 Bytes [96, 71]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3772] USER32.dll!keybd_event 7593EC9B 6 Bytes JMP 719A0F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtCreateFile 76EC4A30 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtCreateFile + 4 76EC4A34 2 Bytes [87, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtDeleteValueKey 76EC4CB0 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtDeleteValueKey + 4 76EC4CB4 2 Bytes [8D, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtOpenFile 76EC5140 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtOpenFile + 4 76EC5144 2 Bytes [84, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtOpenProcess 76EC51F0 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtOpenProcess + 4 76EC51F4 2 Bytes [8A, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtSetValueKey 76EC5C70 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] ntdll.dll!NtSetValueKey + 4 76EC5C74 2 Bytes [90, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!SendMessageA 758ECC28 6 Bytes JMP 71A30F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!PostMessageA 758ED656 6 Bytes JMP 719D0F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!PostMessageW 758F6225 6 Bytes JMP 719A0F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!SendMessageW 758F764C 6 Bytes JMP 71A00F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!mouse_event 75908146 6 Bytes JMP 71AC0F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!SendInput 75917055 3 Bytes [FF, 25, 1E]
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!SendInput + 4 75917059 2 Bytes [A5, 71]
.text C:\Users\emily\Desktop\gmer.exe[5588] USER32.dll!keybd_event 7593EC9B 6 Bytes JMP 71A90F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] ADVAPI32.dll!CreateServiceW 76FEDBC1 6 Bytes JMP 71940F5A
.text C:\Users\emily\Desktop\gmer.exe[5588] ADVAPI32.dll!CreateServiceA 77002120 6 Bytes JMP 71970F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:1796] DA848F2E

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:26 AM

Posted 27 September 2010 - 11:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:26 AM

Posted 01 October 2010 - 01:04 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:26 AM

Posted 04 October 2010 - 02:44 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users