Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect & firewall trapping dwm.exe phoning out


  • This topic is locked This topic is locked
2 replies to this topic

#1 huge1

huge1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 December 2010 - 07:09 PM

I recently upgraded from Vista to Windows 7 Pro, and moved to a new 1TB hard drive. About a week ago I clearly was infected with some sort of redirect malware, with the common symptom of having links on a google search result page send me to the wrong URL. I didn't notice any other behavior at that time. I followed the instructions at another malware removal site - installed Ad-Aware, superantispyware, ran several scans. The scans found some objects, mostly what looked like ad-ware. I let the software remove or quarantine everything, and the problem seemed to go away.

Today I've had three things happen that seem strange. One is that the old redirect bug is clearly back. When I run a google search and then click on one of the links, I sometimes but not always get redirected to the wrong site, always a shopping site with something at the top listing my search terms in some way.

The second strange behavior is that my firewall (ESET Smart Security, latest version, updated) has detected ...\AppData\Roaming\dwm.exe trying to phone out to server2.thaidhost.com (96.9.169.85). I don't think I've seen dwm.exe trapped by my firewall before - an online search suggests that other people have run into it happening, but I can't get a strong sense of whether or not this is definitely malware. My gut tells me that it is, but I'm not sure.

The third thing, and maybe this is nothing, is that when I try to open the http://www.lavasoftsupport.com/ page, I get a page stating:

IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here

Maybe lavasoft is legitimately down, but I mention it in case it seems significant.


I will now post the contents of the DDS.TXT file I generated as part of the preparation guide, and I will attach Attach.txt, as instructed in the guide. I have a 64-bit system so I did not run GMER.

I notice at the top of DDS.txt that it lists SpyBot as "disabled/outdated" - I don't know what that means as I just recently downloaded it and installed it.

I look forward to any advice or suggestions anyone can provide, and I will try to be patient waiting for a reply. Thanks for the assistance!

-Laurence







DDS (Ver_10-12-05.01) - NTFS_AMD64
Run by Laurence at 15:40:32.54 on Sat 12/04/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows 7 Fire™ 2010 6.1.7600.0.1252.1.1033.18.6143.2837 [GMT -8:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Subsonic\subsonic-service.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\System32\spool\drivers\x64\3\E_FATIBOA.EXE
C:\Program Files (x86)\Phone Disk\PhoneDisk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Laurence\AppData\Local\PhotoRocket\bin\PhotoRocket.exe
C:\Program Files (x86)\Subsonic\subsonic-agent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\itunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
c:\Poker Application\Absolute Poker\test.exe
C:\Users\Laurence\AppData\Roaming\dwm.exe
C:\Users\Laurence\AppData\Local\PhotoRocket\bin\AutoUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Public\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55151
uWinlogon: Shell=explorer.exe,C:\Users\Laurence\AppData\Roaming\dwm.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [EPSON Stylus Photo R380 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBOA.EXE /FU "C:\Windows\TEMP\E_S591C.tmp" /EF "HKCU"
uRun: [Phone Disk] C:\Program Files (x86)\Phone Disk\PhoneDisk.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [PhotoRocket] "C:\Users\Laurence\AppData\Local\PhotoRocket\bin\PhotoRocket.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [svchost] C:\Users\Laurence\AppData\Roaming\Microsoft\conhost.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Subsonic.lnk - C:\Program Files (x86)\Subsonic\subsonic-agent.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Share via PhotoRocket - C:\Users\Laurence\AppData\Local\PhotoRocket\bin\iexplore.htm
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Bodog Poker\BPGame.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Welcome Center] C:\Windows\system32\rundll32.exe C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut
mRun-x64: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun-x64: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
IE-X64: {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Laurence\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
Hosts: 74.208.10.249 gs.apple.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: C:\Program Files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: C:\Program Files\Microsoft Silverlight\2.0.40115.0\npctrl.dll
FF - plugin: C:\Program Files\Microsoft Silverlight\npctrl.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Autofill Forms: autofillForms@blueimp.net - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\autofillForms@blueimp.net
FF - Extension: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Extension: ThumbStrips: ilab@intuit - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\ilab@intuit
FF - Extension: Xmarks: foxmarks@kei.com - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\foxmarks@kei.com
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Extension: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Extension: CLEO: CLEO@guid.customsoftwareconsult.com - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\CLEO@guid.customsoftwareconsult.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Handfire: handfire@thehandconverter.com - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\handfire@thehandconverter.com
FF - Extension: YouTube mp3: info@youtube-mp3.org - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\info@youtube-mp3.org
FF - Extension: FoxySpider: {75df891f-e299-4725-b14f-7d52f086dea2} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{75df891f-e299-4725-b14f-7d52f086dea2}
FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - C:\Users\Laurence\AppData\Roaming\Mozilla\Firefox\Profiles\09rn40nj.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: PhotoRocket: photorocket@photorocket.com - C:\Users\Laurence\AppData\Local\PhotoRocket\bin\firefox

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-11-27 69152]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 cpuz134;cpuz134;C:\Windows\System32\drivers\cpuz134_x64.sys [2010-11-15 21480]
R2 Dokan;Dokan;C:\Windows\System32\drivers\dokan.sys [2010-7-5 106888]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2010-7-5 11776]
R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-9-3 170104]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2010-11-4 810144]
R2 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2010-7-29 50624]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-9-22 1375992]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-11-27 1153368]
R3 EuDisk;EASEUS Disk Enumerator;C:\Windows\System32\drivers\EuDisk.sys [2010-11-25 137608]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-9-22 17440]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-22 136176]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2010-11-26 16776]
S3 EUDSKACS;EUDSKACS;C:\Windows\SysWOW64\drivers\eudskacs.sys [2010-11-25 17800]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2010-11-26 9096]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\microsoft office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-23 1255736]

=============== Created Last 30 ================

2010-12-04 20:55:56 135168 ----a-w- C:\Users\Laurence\AppData\Roaming\dwm.exe
2010-12-04 20:50:07 125952 ----a-w- C:\Users\Laurence\AppData\Roaming\Microsoft\conhost.exe
2010-12-04 20:42:42 -------- d-----w- C:\Users\Laurence\AppData\Roaming\Absolute Poker
2010-12-04 02:43:12 -------- d-----w- C:\Users\Laurence\AppData\Local\MediaMonkey
2010-12-04 02:43:11 -------- d-----w- C:\Program Files (x86)\MediaMonkey
2010-12-04 01:40:49 -------- d-----w- C:\$WINDOWS.~LS
2010-12-04 01:13:33 -------- d-----w- C:\PROGRA~3\NVIDIA Corporation
2010-12-04 01:13:30 -------- d-----w- C:\Program Files\NVIDIA Corporation
2010-12-02 22:21:46 614400 ----a-w- C:\Windows\AutoKMS.exe
2010-12-02 22:17:08 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2010-12-02 22:16:48 -------- d-----w- C:\Windows\PCHEALTH
2010-12-02 22:16:48 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2010-12-02 22:14:58 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2010-12-02 22:14:22 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2010-12-02 22:14:13 -------- d-----w- C:\Users\Laurence\AppData\Local\Microsoft Help
2010-11-28 14:06:15 374 ---ha-w- C:\aaw7boot.cmd
2010-11-27 21:40:43 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-11-27 21:40:43 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-11-27 19:37:02 69152 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2010-11-27 19:37:01 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-11-27 19:25:16 -------- dc-h--w- C:\PROGRA~3\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-27 19:25:14 -------- d-----w- C:\Program Files (x86)\Lavasoft
2010-11-27 06:55:26 -------- d-----w- C:\Windows\System32\appmgmt
2010-11-27 02:06:04 -------- d-----w- C:\Program Files (x86)\Enigma Software Group
2010-11-27 02:05:51 -------- d-----w- C:\Windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-11-26 20:42:03 -------- d-----w- C:\Users\Laurence\AppData\Local\NeoSmart_Technologies
2010-11-26 20:41:09 -------- d-----w- C:\Program Files (x86)\NeoSmart Technologies
2010-11-26 20:05:54 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2010-11-26 20:05:54 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2010-11-26 20:05:54 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2010-11-26 20:05:54 2807936 ----a-w- C:\Windows\System32\BootMan.exe
2010-11-26 20:05:54 2217088 ----a-w- C:\Windows\SysWow64\BootMan.exe
2010-11-26 20:05:54 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2010-11-26 20:05:54 14848 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2010-11-26 20:05:54 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2010-11-26 20:05:54 11264 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2010-11-26 20:05:54 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2010-11-26 10:37:03 -------- d-----w- C:\Program Files (x86)\Seagate
2010-11-26 10:35:12 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2010-11-25 19:18:23 26504 ----a-w- C:\Windows\SysWow64\drivers\eufs.sys
2010-11-25 19:17:48 30600 ----a-w- C:\Windows\SysWow64\drivers\eubakup.sys
2010-11-25 19:17:48 17800 ----a-w- C:\Windows\SysWow64\drivers\eudskacs.sys
2010-11-25 19:17:46 137608 ----a-w- C:\Windows\System32\drivers\EuDisk.sys
2010-11-25 19:17:39 -------- d-----w- C:\Program Files (x86)\EASEUS
2010-11-24 21:25:41 -------- d-----w- C:\Windows\System32\RT 7 Lite
2010-11-24 21:25:41 -------- d-----w- C:\Program Files\Rockers Team
2010-11-24 16:56:19 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2010-11-24 16:56:19 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2010-11-24 16:50:32 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2010-11-24 16:50:32 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2010-11-24 16:50:32 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2010-11-24 16:50:32 444752 ----a-w- C:\Windows\System32\mscoree.dll
2010-11-24 16:50:32 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2010-11-24 16:50:32 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2010-11-24 16:50:32 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2010-11-24 16:50:32 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2010-11-24 16:50:32 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2010-11-24 16:50:32 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2010-11-24 16:41:44 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2010-11-24 16:37:57 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2010-11-24 16:29:48 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-11-24 16:14:30 -------- d-----w- C:\Users\Laurence\AppData\Roaming\ESET
2010-11-24 16:14:30 -------- d-----w- C:\Users\Laurence\AppData\Local\ESET
2010-11-24 16:13:24 -------- d-----w- C:\Program Files\ESET
2010-11-24 15:25:01 -------- d-----w- C:\Users\Laurence\AppData\Roaming\SUPERAntiSpyware.com
2010-11-24 15:25:01 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-11-24 15:24:56 -------- d-----w- C:\PROGRA~3\!SASCORE
2010-11-24 15:24:54 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-11-24 14:39:34 -------- d-----w- C:\Users\Laurence\AppData\Roaming\Malwarebytes
2010-11-24 14:39:26 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-24 14:39:25 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-24 14:39:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-24 14:39:25 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-11-24 05:36:28 -------- d-----w- C:\Windows\SysWow64\Wat
2010-11-24 05:36:28 -------- d-----w- C:\Windows\System32\Wat
2010-11-23 21:01:09 -------- d-----w- C:\Users\Laurence\AppData\Local\Macroplant,_LLC
2010-11-23 21:00:38 -------- d-----w- C:\Program Files (x86)\Dokan
2010-11-23 21:00:14 -------- d-----w- C:\Program Files (x86)\Phone Disk
2010-11-22 20:30:21 -------- d-----w- C:\Program Files (x86)\WinSCP
2010-11-22 20:23:34 -------- d-----w- C:\Users\Laurence\AppData\Local\OpenCandy
2010-11-22 20:23:33 -------- d-----w- C:\Users\Laurence\AppData\Roaming\OpenCandy
2010-11-22 06:06:03 -------- d-----w- C:\Users\Laurence\.shsh
2010-11-21 10:44:23 -------- d-----w- C:\Program Files (x86)\Bodog Poker
2010-11-20 09:56:26 -------- d-----w- C:\Users\Laurence\AppData\Local\PhotoRocket
2010-11-20 09:56:26 -------- d-----w- C:\Users\Laurence\AppData\Local\Google
2010-11-19 20:29:12 -------- d-----w- C:\subsonic
2010-11-19 20:29:11 -------- d-----w- C:\Program Files (x86)\Subsonic
2010-11-19 20:28:40 411368 ----a-w- C:\Windows\SysWow64\deploytk.dll
2010-11-19 20:28:40 411368 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeploytk.dll
2010-11-19 00:29:50 -------- d-----w- C:\Users\Laurence\AppData\Local\Apple
2010-11-19 00:29:34 -------- d-----w- C:\Program Files\Bonjour
2010-11-19 00:29:34 -------- d-----w- C:\Program Files (x86)\Bonjour
2010-11-18 01:14:25 -------- d-----w- C:\PROGRA~3\EPSON
2010-11-18 01:13:18 -------- d-----w- C:\Program Files\EPSON
2010-11-18 01:06:34 -------- d-----w- C:\Users\Laurence\AppData\Local\ElevatedDiagnostics
2010-11-17 23:09:37 -------- d-----w- C:\Users\Laurence\AppData\Roaming\Foxit Software
2010-11-17 09:14:35 -------- d-----w- C:\Program Files (x86)\uTorrent
2010-11-16 23:31:10 -------- d-----w- C:\Users\Laurence\AppData\Local\Thunderbird
2010-11-16 23:16:40 66520 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
2010-11-16 23:16:40 25048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll
2010-11-16 23:16:40 140248 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll
2010-11-16 23:16:39 719832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozcpp19.dll
2010-11-16 23:16:39 16856 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
2010-11-16 20:41:36 -------- d-----w- C:\Users\Laurence\AppData\Local\Mozilla
2010-11-16 20:40:39 -------- d-----w- C:\Users\Laurence\AppData\Local\Opera
2010-11-16 20:39:16 -------- d-----w- C:\Users\Laurence\AppData\Roaming\uTorrent
2010-11-16 00:52:23 -------- d-----w- C:\FEBE backup from vista
2010-11-15 20:04:34 -------- d-----w- C:\Program Files (x86)\Microsoft
2010-11-15 12:39:46 -------- d-----w- C:\Program Files (x86)\wireshark
2010-11-15 12:39:46 -------- d-----w- C:\Program Files (x86)\tuneup utilities 2009
2010-11-15 12:39:44 -------- d-----w- C:\Program Files (x86)\russwright
2010-11-15 12:38:58 -------- d-----w- C:\Program Files (x86)\itunes
2010-11-15 12:38:57 -------- d-----w- C:\perl
2010-11-15 10:00:16 21480 ----a-w- C:\Windows\System32\drivers\cpuz134_x64.sys
2010-11-15 10:00:15 -------- d-----w- C:\Program Files\CPUID
2010-11-15 10:00:11 -------- d-----w- C:\Program Files (x86)\Ask.com
2010-11-15 09:47:58 77656 ----a-w- C:\Windows\System32\XAPOFX1_5.dll
2010-11-15 09:46:48 -------- d-----w- C:\Program Files (x86)\VideoLAN
2010-11-15 09:46:34 -------- d-----w- C:\Program Files (x86)\Foxit Software
2010-11-15 09:46:16 -------- d-sh--w- C:\Windows\Installer
2010-11-15 09:39:30 -------- d-sh--w- C:\Recovery
2010-11-15 09:23:02 -------- d-----w- C:\Windows\Panther
2010-11-15 09:22:48 -------- d-sh--w- C:\Boot
2010-11-13 23:09:55 -------- d-----w- C:\!KillBox
2010-11-10 15:01:52 949760 ----a-w- C:\Windows\Rgtwk.exe
2010-11-10 15:00:53 484319 ----a-w- C:\Windows\Fullglass.exe

==================== Find3M ====================

2010-11-10 08:01:50 935936 ----a-w- C:\Windows\System32\timedate.cpl
2010-11-10 07:56:00 1084928 ----a-w- C:\Windows\System32\OobeFldr.dll
2010-11-10 07:55:21 12730368 ----a-w- C:\Windows\System32\spwizimg.dll
2010-11-10 07:46:18 3108352 ----a-w- C:\Windows\System32\networkexplorer.dll
2010-11-10 07:45:12 66229248 ----a-w- C:\Windows\System32\imageres.dll
2010-11-10 07:44:45 1880064 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2010-11-10 07:35:12 899072 ----a-w- C:\Windows\SysWow64\timedate.cpl
2010-11-10 07:33:17 12730368 ----a-w- C:\Windows\SysWow64\spwizimg.dll
2010-11-10 07:26:49 1046016 ----a-w- C:\Windows\SysWow64\OobeFldr.dll
2010-11-10 07:26:11 3097088 ----a-w- C:\Windows\SysWow64\networkexplorer.dll
2010-11-10 07:17:19 66229248 ----a-w- C:\Windows\SysWow64\imageres.dll
2010-11-10 07:01:12 1511424 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
2010-10-29 09:44:40 1736608 ----a-w- C:\Windows\System32\ntdll.dll
2010-10-29 09:44:40 1289528 ----a-w- C:\Windows\SysWow64\ntdll.dll
2010-10-29 09:44:10 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2010-10-29 09:44:10 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2010-10-29 09:44:10 153160 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2010-10-29 09:44:10 1446912 ----a-w- C:\Windows\System32\lsasrv.dll
2010-10-29 09:43:23 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2010-10-29 09:43:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2010-10-29 09:43:04 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2010-10-29 09:43:04 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2010-10-29 09:43:04 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2010-10-29 09:43:04 243200 ----a-w- C:\Windows\System32\wow64.dll
2010-10-29 09:43:04 2048 ----a-w- C:\Windows\SysWow64\user.exe
2010-10-29 09:43:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2010-10-07 20:36:16 96544 ----a-w- C:\Windows\System32\dnssd.dll
2010-10-07 20:36:16 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2010-10-07 20:36:16 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2010-10-07 20:36:16 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2010-10-07 20:23:02 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2010-10-07 20:23:02 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2010-10-07 20:23:02 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2010-10-07 20:23:02 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2010-09-28 23:44:52 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2010-09-28 23:44:52 4184352 ----a-w- C:\Windows\System32\usbaaplrc.dll
2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-09-08 19:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 19:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

============= FINISH: 15:40:55.66 ===============

UPDATE: While I was typing that post, I left my firewall (ESET) popup message on the screen so I could type the correct contents in my post. After I finished the post, I Hit "Deny" on the popup window, and then hit "Deny" on a couple more windows that followed (I've decided to go into paranoid mode and deny everything that I'm not very confident of).

I got a warning from SuperAntiSpyware saying "Potentially Harmful Software Has Been Detected", identified as "Trojan.Agent/Gen-Backdoor.Process", with the b locked item listed as ...\APPDATA\LOCAL\TEMP\CSRSS.EXE. It lists a threat level of 5 on a scale 1-10. I clicked "Scan Now". On the window that came up I clicked "Manage Quarantine" just to see if something had just been put into quarantine, but there is nothing since the last time I ran AV scans almost two weeks ago. Listed under quarantine are a few Trojan.Agent files, but nothing called "Gen-Backdoor".

I have decided to let SuperAntiSpyware run a scan - since it is actively telling me that it has detected something. I realize that I am instructed on this forum to wait to perform other action until I get a reply, but it seems like a bad idea not to allow S.A.S. to run when it seems to have the scent of a bug.

If you want to close this thread and have me post again after I've run the scan, let me know ... either way I will post with the results...

thanks
-L

OK, I've now got so much weird/scary behavior that I think I'm just going to backup my drive, reinstall Windows and then be extremely careful about bringing stuff back on to the system, perhaps using sandboxie this time around and adding things back in layers.

I would still love to hear it if anyone sees something obvious in the logs I've posted, and I should still have a bootable (infected) partition to work with if there's something to explore. But it's probably not worth a lot of someone's time to go over my logs with a fine tooth comb.

I'll report on my progress or if I figure out what got me into trouble.

thanks...

EDIT: Posts merged ~BP

Edited by Budapest, 05 December 2010 - 04:34 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:25 AM

Posted 11 December 2010 - 07:43 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:25 PM

Posted 18 December 2010 - 08:20 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users