Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 rh451

rh451

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 December 2010 - 05:07 PM

When I click on a google search result I am sent to random sites.
Thanks for any help you can give me with this problem.

I downloaded defogger and ran it and initially had the following error log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:06 on 10/12/2010 (All)

Checking for autostart values...
HKCU\~\Run values retrieved.
Unable to open HKLM\~\Run key (5)
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


I switched to an administrator account (oops) and ran it and it said it ran successfully. It did not reboot my computer.

I created the following dds file:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Rich at 13:31:49.68 on Fri 12/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.434 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
F:\Program Files\Avira\AntiVir Desktop\avguard.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Avira\AntiVir Desktop\avshadow.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\Explorer.EXE
F:\Program Files\Avira\AntiVir Desktop\avgnt.exe
F:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\Rich\Desktop\gmer\gmer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Rich\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [avgnt] "f:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CanonSolutionMenu] f:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "f:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "f:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] f:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [OutpostMonitor] f:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "f:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\rich\applic~1\mozilla\firefox\profiles\fstdpqt2.default\
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - f:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;f:\program files\avira\antivir desktop\avgio.sys [2010-11-14 11608]
R1 SandBox;SandBox;f:\windows\system32\drivers\SandBox.sys [2010-12-5 704384]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 acssrv;Agnitum Client Security Service;f:\progra~1\agnitum\outpos~1\acs.exe [2010-12-5 1195008]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;f:\program files\avira\antivir desktop\sched.exe [2010-11-14 135336]
R2 AntiVirService;Avira AntiVir Guard;f:\program files\avira\antivir desktop\avguard.exe [2010-11-14 267944]
R2 avgntflt;avgntflt;f:\windows\system32\drivers\avgntflt.sys [2010-11-14 61960]
R3 afw;Agnitum firewall driver;f:\windows\system32\drivers\afw.sys [2010-12-5 31128]
R3 afwcore;afwcore;f:\windows\system32\drivers\afwcore.sys [2010-12-5 257432]

=============== Created Last 30 ================

2010-12-09 16:46:18 -------- d-----w- f:\windows\system32\XPSViewer
2010-12-09 16:45:47 89088 ----a-w- f:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-09 16:45:31 89088 -c----w- f:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-09 16:45:31 597504 -c----w- f:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-09 16:45:31 597504 ------w- f:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-09 16:45:31 575488 -c----w- f:\windows\system32\dllcache\xpsshhdr.dll
2010-12-09 16:45:31 575488 ------w- f:\windows\system32\xpsshhdr.dll
2010-12-09 16:45:31 117760 ------w- f:\windows\system32\prntvpt.dll
2010-12-09 16:45:30 1676288 -c----w- f:\windows\system32\dllcache\xpssvcs.dll
2010-12-09 16:45:30 1676288 ------w- f:\windows\system32\xpssvcs.dll
2010-12-06 02:11:39 73728 ----a-w- f:\windows\system32\javacpl.cpl
2010-12-06 02:11:39 472808 ----a-w- f:\windows\system32\deployJava1.dll
2010-12-06 02:11:39 472808 ----a-w- f:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-06 01:54:58 -------- d-----w- f:\program files\SpywareBlaster
2010-12-05 22:16:08 -------- d-----w- f:\docume~1\rich\locals~1\applic~1\Identities
2010-12-05 22:01:10 704384 ----a-w- f:\windows\system32\drivers\SandBox.sys
2010-12-05 22:01:03 257432 ----a-w- f:\windows\system32\drivers\afwcore.sys
2010-12-05 21:59:44 31128 ----a-w- f:\windows\system32\drivers\afw.sys
2010-12-05 21:59:34 -------- d-----w- f:\program files\Agnitum
2010-12-05 21:58:51 -------- d-----w- f:\docume~1\alluse~1\applic~1\Agnitum
2010-12-05 20:31:30 -------- d-----w- F:\MGtools
2010-12-05 20:02:43 -------- d-sha-r- F:\cmdcons
2010-12-05 20:00:26 98816 ----a-w- f:\windows\sed.exe
2010-12-05 20:00:26 89088 ----a-w- f:\windows\MBR.exe
2010-12-05 20:00:26 256512 ----a-w- f:\windows\PEV.exe
2010-12-05 20:00:26 161792 ----a-w- f:\windows\SWREG.exe
2010-12-05 19:43:21 -------- d-----w- f:\docume~1\rich\applic~1\SUPERAntiSpyware.com
2010-12-05 19:43:21 -------- d-----w- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-05 19:43:10 -------- d-----w- f:\program files\SUPERAntiSpyware
2010-12-05 18:39:37 -------- d-----w- f:\windows\pss
2010-12-05 18:17:31 -------- d-----w- f:\program files\CCleaner
2010-12-05 17:59:12 -------- d-----w- f:\docume~1\rich\applic~1\ElevatedDiagnostics
2010-12-05 02:19:53 -------- d-----w- f:\docume~1\rich\applic~1\Malwarebytes
2010-12-04 20:29:39 -------- d-----w- f:\docume~1\rich\applic~1\Avira
2010-12-03 06:21:26 -------- d-----w- f:\program files\MSXML 4.0
2010-12-02 07:20:15 -------- d-----w- f:\program files\Spybot - Search & Destroy
2010-12-02 07:20:15 -------- d-----w- f:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-02 02:16:06 -------- d-----w- f:\docume~1\rich\locals~1\applic~1\Scansoft
2010-12-02 01:53:52 11776 ----a-w- f:\windows\system32\pmsbfn32.dll
2010-12-02 01:53:38 -------- d-----w- f:\program files\common files\NewSoft
2010-12-02 01:53:11 -------- d-----w- f:\program files\common files\PDFView
2010-12-02 01:53:10 -------- d-----w- f:\windows\system32\Color
2010-12-02 01:53:10 -------- d-----w- f:\program files\NewSoft
2010-12-02 01:52:37 32768 ----a-w- f:\program files\common files\installshield\professional\runtime\Objectps.dll
2010-12-02 01:52:37 274432 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2010-12-02 01:52:37 184320 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2010-12-02 01:52:36 753664 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2010-12-02 01:52:36 69714 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2010-12-02 01:52:36 5632 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2010-12-02 01:52:36 200836 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2010-12-02 01:52:35 331908 ----a-w- f:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2010-12-02 01:51:21 -------- d-----w- f:\program files\common files\ScanSoft Shared
2010-12-02 01:51:03 -------- d-----w- f:\program files\ScanSoft
2010-12-02 01:44:46 212480 ----a-w- f:\windows\PCDLIB32.DLL
2010-12-02 01:44:25 77824 ----a-w- f:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2010-12-02 01:44:25 32768 ----a-w- f:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2010-12-02 01:44:25 225280 ------w- f:\program files\common files\installshield\iscript\iscript.dll
2010-12-02 01:44:25 176128 ----a-w- f:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2010-12-02 01:44:22 614532 ----a-w- f:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2010-12-02 01:44:14 -------- d-----w- f:\program files\common files\CANON
2010-12-02 01:42:20 -------- d-----w- f:\program files\Canon
2010-12-01 23:47:49 -------- d-sh--w- f:\documents and settings\rich\IECompatCache
2010-12-01 23:47:09 -------- d-sh--w- f:\documents and settings\rich\PrivacIE
2010-11-20 01:49:36 -------- d-----w- f:\program files\Microsoft ActiveSync
2010-11-20 01:48:52 -------- d-----w- f:\windows\SHELLNEW
2010-11-18 03:18:29 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-11-18 03:18:25 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-11-18 03:18:25 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-11-18 03:18:25 -------- d-----w- f:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-17 20:14:34 -------- d-----w- f:\docume~1\rich\locals~1\applic~1\Adobe
2010-11-17 04:06:10 -------- d-----w- f:\docume~1\rich\locals~1\applic~1\Mozilla
2010-11-17 03:37:48 -------- d-----w- f:\windows\system32\Adobe
2010-11-17 03:32:50 327168 ----a-w- f:\windows\IsUninst.exe
2010-11-17 03:23:47 298496 ----a-w- f:\windows\uninst.exe
2010-11-17 02:34:23 28552 ----a-w- f:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2010-11-17 02:34:23 28040 ----a-w- f:\windows\system32\mdimon.dll
2010-11-17 02:21:33 13312 -c----w- f:\windows\system32\dllcache\iecompat.dll
2010-11-17 02:21:18 -------- d-----w- f:\windows\ie8updates
2010-11-17 02:20:56 743424 -c----w- f:\windows\system32\dllcache\iedvtool.dll
2010-11-17 02:20:56 602112 -c----w- f:\windows\system32\dllcache\msfeeds.dll
2010-11-17 02:20:56 55296 -c----w- f:\windows\system32\dllcache\msfeedsbs.dll
2010-11-17 02:20:56 247808 -c----w- f:\windows\system32\dllcache\ieproxy.dll
2010-11-17 02:20:56 1986560 -c----w- f:\windows\system32\dllcache\iertutil.dll
2010-11-17 02:20:56 12800 -c----w- f:\windows\system32\dllcache\xpshims.dll
2010-11-17 02:20:56 11080192 -c----w- f:\windows\system32\dllcache\ieframe.dll
2010-11-17 02:19:49 -------- dc-h--w- f:\windows\ie8
2010-11-16 22:13:09 12928 -c--a-w- f:\windows\system32\dllcache\dot4prt.sys
2010-11-16 22:13:09 12928 ----a-w- f:\windows\system32\drivers\Dot4Prt.sys
2010-11-16 22:13:03 324608 -c--a-w- f:\windows\system32\dllcache\hpojwia.dll
2010-11-16 22:13:03 324608 ----a-w- f:\windows\system32\hpojwia.dll
2010-11-16 22:13:00 8704 -c--a-w- f:\windows\system32\dllcache\dot4scan.sys
2010-11-16 22:13:00 8704 ----a-w- f:\windows\system32\drivers\Dot4scan.sys
2010-11-16 22:12:54 23808 -c--a-w- f:\windows\system32\dllcache\dot4usb.sys
2010-11-16 22:12:54 23808 ----a-w- f:\windows\system32\drivers\Dot4usb.sys
2010-11-16 22:12:53 206976 -c--a-w- f:\windows\system32\dllcache\dot4.sys
2010-11-16 22:12:53 206976 ----a-w- f:\windows\system32\drivers\Dot4.sys
2010-11-16 18:58:31 272128 -c----w- f:\windows\system32\dllcache\bthport.sys
2010-11-16 18:58:31 272128 ------w- f:\windows\system32\drivers\bthport.sys
2010-11-16 18:57:28 455680 -c----w- f:\windows\system32\dllcache\mrxsmb.sys
2010-11-16 18:47:03 2146304 -c----w- f:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-16 18:47:02 2189952 -c----w- f:\windows\system32\dllcache\ntoskrnl.exe
2010-11-16 18:47:02 2024448 -c----w- f:\windows\system32\dllcache\ntkrpamp.exe
2010-11-16 18:47:01 2066816 -c----w- f:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-16 18:38:45 5120 ----a-w- f:\windows\system32\xpsp4res.dll
2010-11-15 11:00:20 -------- d-----w- f:\windows\system32\PreInstall
2010-11-15 11:00:19 26144 ----a-w- f:\windows\system32\spupdsvc.exe
2010-11-15 11:00:18 -------- d--h--w- f:\windows\$hf_mig$
2010-11-14 22:08:10 -------- d-----w- f:\windows\system32\NtmsData
2010-11-14 22:02:29 61960 ----a-w- f:\windows\system32\drivers\avgntflt.sys
2010-11-14 22:02:28 -------- d-----w- f:\program files\Avira
2010-11-14 22:02:28 -------- d-----w- f:\docume~1\alluse~1\applic~1\Avira
2010-11-14 21:14:38 -------- d-----w- f:\windows\system32\SoftwareDistribution
2010-11-14 01:21:07 26368 -c--a-w- f:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2010-09-18 20:23:26 974848 ----a-w- f:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- f:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- f:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- f:\windows\system32\mfc40u.dll

============= FINISH: 13:32:55.25 ===============

I created the following with GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-10 13:29:24
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c ST3160815A rev.3.AAD
Running: gmer.exe; Driver: F:\DOCUME~1\Rich\LOCALS~1\Temp\pxldypod.sys


---- System - GMER 1.0.15 ----

SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xF5735A60]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0xF571ABF0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xF5737920]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xF5716F60]
SSDT F7B3E22E ZwCreateKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xF572E2B0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xF572EBB0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xF5715D10]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xF5721E40]
SSDT F7B3E224 ZwCreateThread
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xF573AF30]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xF5720B20]
SSDT F7B3E233 ZwDeleteKey
SSDT F7B3E23D ZwDeleteValueKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xF572BBB0]
SSDT F7B3E242 ZwLoadKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xF57216B0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xF5719C10]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0xF5722FC0]
SSDT F7B3E210 ZwOpenProcess
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xF5716580]
SSDT F7B3E215 ZwOpenThread
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xF5736DA0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF571B8A0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xF5725750]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0xF5725FA0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xF5734ED0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xF5729590]
SSDT F7B3E24C ZwReplaceKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xF5739A50]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xF5739D70]
SSDT F7B3E247 ZwRestoreKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xF5727C80]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xF57284D0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xF5738480]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xF5734440]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xF573B520]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xF571CBF0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xF572B1C0]
SSDT F7B3E238 ZwSetValueKey
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xF5733190]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xF5733AC0]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xF573A770]
SSDT \??\F:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF57F2620]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xF5732620]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xF572C530]
SSDT \??\F:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xF57362B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [90, 31, 73, F5, C0, 3A, 73, ...] {NOP ; XOR [EBX-0xb], ESI; SAR BYTE [EDX], 0x73; CMC ; JO 0xffffffffffffffb1; JAE 0x1}

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[1756] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 F:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0059EB20 F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] USER32.dll!EnableWindow 7E429849 5 Bytes JMP 0116944C F:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[1920] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 0059EAF4 F:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text F:\Program Files\Internet Explorer\iexplore.exe[2672] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F F:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- EOF - GMER 1.0.15 ----

Also I ran combofix though I find I should not have done so... twice. Some people.... Anyway here is a copy of the first log and quarantine:

ComboFix 10-12-07.06 - Rich 12/08/2010 18:43:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.521 [GMT -8:00]
Running from: f:\documents and settings\Rich\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.

2010-12-05 20:31 . 2010-12-05 21:34 -------- d-----w- F:\MGtools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-05 21:34 . 2010-12-05 20:31 109185 ----a-w- F:\MGlogs.zip
2010-09-18 20:23 . 2008-04-14 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2008-04-14 12:00 916480 ----a-w- f:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 12:00 43520 ------w- f:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-04-14 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="f:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonSolutionMenu"="f:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="f:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="f:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"OutpostMonitor"="f:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-15 2374464]
"OutpostFeedBack"="f:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-15 428032]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\sessmgr.exe"=

R1 SandBox;SandBox;f:\windows\system32\drivers\SandBox.sys [12/5/2010 2:01 PM 704384]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 acssrv;Agnitum Client Security Service;f:\progra~1\Agnitum\OUTPOS~1\acs.exe [12/5/2010 1:59 PM 1195008]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;f:\program files\Avira\AntiVir Desktop\sched.exe [11/14/2010 2:02 PM 135336]
R3 afw;Agnitum firewall driver;f:\windows\system32\drivers\afw.sys [12/5/2010 1:59 PM 31128]
R3 afwcore;afwcore;f:\windows\system32\drivers\afwcore.sys [12/5/2010 2:01 PM 257432]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\fstdpqt2.default\
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 18:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
f:\program files\SUPERAntiSpyware\SASWINLO.DLL
f:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2728)
f:\windows\system32\WININET.dll
f:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Avira\AntiVir Desktop\avguard.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Avira\AntiVir Desktop\avshadow.exe
f:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
f:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
.
**************************************************************************
.
Completion time: 2010-12-08 18:55:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-09 02:55
ComboFix2.txt 2010-12-05 20:23

Pre-Run: 60,744,523,776 bytes free
Post-Run: 60,735,500,288 bytes free

- - End Of File - - 421589BB9F6845D3C9EADDDBAFEEC5E3

2010-12-05 20:19:45 . 2010-12-09 02:47:27 4,915 ----a-w- F:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-12-05 20:00:19 . 2010-12-09 02:42:35 255 ----a-w- F:\Qoobox\Quarantine\catchme.log
2010-11-15 03:24:31 . 2007-01-10 19:03:19 6,624,784 ----a-w- F:\Qoobox\Quarantine\F\Documents and Settings\All Users\Documents\setup.exe.vir

BC AdBot (Login to Remove)

 


#2 rh451

rh451
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 12 December 2010 - 04:25 PM

Never mind. I fixed it.

It actually wasn't that hard. Who would have thought since I usually solve problems with large prying/striking tools and water and, if that doesn't work more water.

More evidence that a billion monkeys typing for a billion years could have written the bible.

I don't recommend such prying, striking and water applying tactics to others though. I am highly experienced at apelike problem solving.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 12 December 2010 - 08:54 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users