Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirects and new tabs opening spontaneously


  • This topic is locked This topic is locked
2 replies to this topic

#1 Mhartman

Mhartman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 15 January 2011 - 12:30 PM

I am running Windowns XP home (up-to-date). I am also using AVG Anti-Virus and Malware Bytes (both free editions and both up-to-date) but neither are helping me pinpoint what has infected my machine. Search engine results are redirected to junk ad sites. When explorer (Firefox) window is open, new tabs spontaneously open up to junk ad sites. AVG is detecting many incoming threats. Spam filter is not working. Also general slowness, and I am not able to post to this forum from infected machine. Requested logs are attached. TIA


DDS (Ver_10-12-12.02) - NTFSx86
Run by Melanie at 9:33:35.43 on Fri 01/14/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.210 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: a-squared Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Upromise\dca-ua.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Melanie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://srch-us9.hpwis.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BackupNotify] c:\program files\hewlett-packard\digital imaging\bin\backupnotify.exe
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Upromise Update] c:\program files\upromise\dca-ua.exe
uRun: [Upromise Tray] c:\program files\upromise\UpromiseTray.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [ironxxxxxx.exe] c:\ironxxxxxx.exe\ironxxxxxx.exe
StartupFolder: c:\docume~1\melanie\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\melanie\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236794150609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237729376218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: fehodolos - {6fc32420-227d-4d29-bc7a-d1e90d3c8712} - c:\windows\system32\pofuzema.dll
SSODL: hadabudat - {e06e6db2-e9c8-4904-b8f0-56a846ada8a2} - c:\windows\system32\pofuzema.dll
SSODL: favomalek - {86099025-cede-417e-8f6d-647a0ac7600e} - c:\windows\system32\pofuzema.dll
SSODL: bamuvidoj - {cdbba838-f74c-446c-abf1-b27642ddb07e} - c:\windows\system32\pofuzema.dll
SSODL: ganagiwod - {bb80ed20-ed83-4606-a255-1a449c01b9f5} - c:\windows\system32\pofuzema.dll
SSODL: pusupolag - {aae04400-6e7d-4114-88b9-8e47e07ba70f} - c:\windows\system32\pofuzema.dll
SSODL: fufenuwon - {ed8ad2e7-3656-417f-aeaa-aabd7a04dd7c} - c:\windows\system32\pofuzema.dll
SSODL: fonenazot - {b7f00eec-dbf3-4e35-912b-2f4c186f927d} - c:\windows\system32\pofuzema.dll
SSODL: yovugawev - {f751b075-f257-49e5-867f-5469fba7fd19} - c:\windows\system32\pofuzema.dll
STS: mujuzedij: {6fc32420-227d-4d29-bc7a-d1e90d3c8712} - c:\windows\system32\pofuzema.dll
STS: tokatiluy: {e06e6db2-e9c8-4904-b8f0-56a846ada8a2} - c:\windows\system32\pofuzema.dll
STS: tokatiluy: {86099025-cede-417e-8f6d-647a0ac7600e} - c:\windows\system32\pofuzema.dll
STS: tokatiluy: {cdbba838-f74c-446c-abf1-b27642ddb07e} - c:\windows\system32\pofuzema.dll
STS: tokatiluy: {bb80ed20-ed83-4606-a255-1a449c01b9f5} - c:\windows\system32\pofuzema.dll
STS: kupuhivus: {aae04400-6e7d-4114-88b9-8e47e07ba70f} - c:\windows\system32\pofuzema.dll
STS: kupuhivus: {ed8ad2e7-3656-417f-aeaa-aabd7a04dd7c} - c:\windows\system32\pofuzema.dll
STS: jugezatag: {b7f00eec-dbf3-4e35-912b-2f4c186f927d} - c:\windows\system32\pofuzema.dll
STS: jugezatag: {f751b075-f257-49e5-867f-5469fba7fd19} - c:\windows\system32\pofuzema.dll
LSA: Notification Packages = scecli kbconer.dll jateguso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\melanie\applic~1\mozilla\firefox\profiles\cw4cznyf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbc5444&v=6.011.025.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Upromise TurboSaver: FFToolbar@upromise - %profile%\extensions\FFToolbar@upromise
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {6BFC82C1-0B4F-4C06-A8A8-7F9161366F90} - c:\documents and settings\melanie\local settings\application data\{6BFC82C1-0B4F-4C06-A8A8-7F9161366F90}
FF - Ext: AVG Security Toolbar em:version=6.011.025.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 gupdate1c9a5ad74acf6ec;Google Update Service (gupdate1c9a5ad74acf6ec);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S2 mrtRate;mrtRate; [x]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-18 517448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]

=============== Created Last 30 ================

2011-01-12 15:40:41 -------- d-----w- c:\program files\Trojan Guarder
2011-01-12 15:38:18 -------- d-----w- c:\docume~1\melanie\applic~1\TrojanHunter
2011-01-12 13:43:45 -------- d-----w- c:\program files\TrojanHunter 5.3
2011-01-12 13:42:31 -------- d-----w- c:\docume~1\melanie\applic~1\whitesmoketoolbar
2011-01-11 21:12:39 -------- d-----w- c:\program files\whitesmoketoolbar
2011-01-11 21:12:34 -------- d-----w- c:\program files\Whitesmoke Translator
2011-01-11 21:10:38 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-02 14:59:42 -------- d-----w- c:\windows\system32\NtmsData
2010-12-15 22:46:04 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 22:45:15 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
1601-01-01 00:03:52 55296 --sha-w- c:\windows\system32\hotoniwu.dll.tmp
1601-01-01 00:03:52 55296 --sha-w- c:\windows\system32\semuyodo.dll.tmp
1601-01-01 00:03:52 55296 --sha-w- c:\windows\system32\zimoluji.dll.tmp

=================== ROOTKIT ====================
I am running AVG Anti-virus and Malware bytes (both free editions, both up-to-date) and neither program is able to detect whatever the infection is. Any search engine results redirect to random ad pages. When using Firefox new tabs will open to random ad pages. General slowness in all processes. Attached are the requested logs.



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82260555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x822667b0]; MOV EAX, [0x8226682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82295AB8]
3 CLASSPNP[0xF84DFFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005e[0x82297F18]
5 ACPI[0xF8456620] -> nt!IofCallDriver[0x804E13B9] -> [0x82294D98]
\Driver\atapi[0x8228A030] -> IRP_MJ_CREATE -> 0x82260555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; CLD ; REP MOVSB ; JMP FAR 0x7a0:0x52; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160021A______________________________3.06____#4a3530535a465658202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8226039B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 9:36:11.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:34 AM

Posted 19 January 2011 - 08:58 PM

Hello Mhartman ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:34 AM

Posted 12 February 2011 - 02:59 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users