Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AOL and Amazon Phishing scam and DDS and GMER logs


  • This topic is locked This topic is locked
3 replies to this topic

#1 Zilliano

Zilliano

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 23 January 2011 - 09:53 PM

Hey,

I'm working on a PC for a client, and for the life of me I can't figure this one out. Whenever they attempt to log in to AOL, it redirects them to a page stating "We are now updating our security system. To verify your person in our system please enter information requested below" That also asks for their credit card information and ATM pin number, exactly like the problem listed here.

Malware Bytes and SuperAntiSpyware come up clean, and I've run CCleaner, which appeared to fix it the first time, but it suddenly came back at random and now CCleaner doesn't seem to remove it.

Here's the DDS.scr log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Ed at 20:17:17.03 on Sun 01/23/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.324 [GMT -6:00]

AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: CA Personal Firewall *Enabled*
FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.murdercreek.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: aim.com\www
Trusted Zone: aol.com\www
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\yenqgc76.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
FF - prefs.js: network.proxy.ftp - 192.168.1.254
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.ssl_port - 1
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-5-17 308592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 avgfws;AVG Firewall;"c:\program files\avg\avg10\avgfws.exe" --> c:\program files\avg\avg10\avgfws.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg10\avgwdsvc.exe" --> c:\program files\avg\avg10\avgwdsvc.exe [?]
S2 McciServiceHost;McciServiceHost;"c:\program files\common files\motive\mcciservicehost.exe" --> c:\program files\common files\motive\McciServiceHost.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

=============== Created Last 30 ================

2011-01-24 00:16:06 -------- d-----w- c:\docume~1\ed\locals~1\applic~1\ESET
2011-01-23 23:41:17 -------- d-----w- c:\program files\CCleaner
2011-01-23 21:58:18 -------- d-----w- c:\program files\UlisesSoft
2011-01-23 21:46:15 -------- d-----w- c:\program files\ESET
2011-01-23 21:08:59 -------- d--h--w- c:\windows\PIF
2011-01-22 13:37:17 -------- d-----w- c:\docume~1\ed\locals~1\applic~1\AVG Security Toolbar
2011-01-22 02:53:17 -------- d--h--w- C:\$AVG
2011-01-22 02:25:45 -------- d-----w- c:\docume~1\ed\applic~1\AVG10
2011-01-22 02:23:18 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-01-22 01:45:08 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-22 01:45:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-22 01:44:14 -------- d-----w- c:\program files\AVG
2011-01-22 01:26:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-21 04:42:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-21 04:42:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-21 04:39:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\kds_kodak
2011-01-19 05:39:30 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2011-01-19 05:39:30 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-01-19 03:50:38 336 ----a-w- c:\program files\temp995.bat
2010-12-26 00:49:54 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-12-26 00:49:54 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-12-25 08:07:17 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-25 08:06:45 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-25 08:06:25 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-25 08:06:25 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-25 08:06:25 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-25 08:06:25 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-25 08:06:25 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-25 08:06:25 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-25 08:06:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-12-25 08:06:24 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-12-25 08:06:24 -------- d-----w- C:\99701e2a56fcfee82781

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 20:18:35.51 ===============



And here's the GMER log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-23 20:52:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00REA0 rev.20.00K20
Running: hyjn8bt3.exe; Driver: C:\DOCUME~1\Ed\LOCALS~1\Temp\pxdoypod.sys


---- System - GMER 1.0.15 ----

SSDT 868BDC90 ZwAssignProcessToJobObject
SSDT 868BE200 ZwDebugActiveProcess
SSDT 868BE2F0 ZwDuplicateObject
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xEDEA16C0]
SSDT 868BD800 ZwOpenThread
SSDT 868BDFD0 ZwProtectVirtualMemory
SSDT 868BE0E0 ZwQueueApcThread
SSDT 868BDEC0 ZwSetContextThread
SSDT 868BDD90 ZwSetInformationThread
SSDT 868BADA0 ZwSetSecurityObject
SSDT 868BDB90 ZwSuspendProcess
SSDT 868BDA80 ZwSuspendThread
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xEDEA1770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xEDEA1810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xEDEA18B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 450 804E2ABC 8 Bytes JMP EA1810ED
? C:\DOCUME~1\Ed\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 051E9DD9
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 051E9976
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 051E9C8B
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 051E9A57
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 051E9B2A
.text C:\WINDOWS\system32\wuauclt.exe[312] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02FB9DD9
.text C:\WINDOWS\system32\wuauclt.exe[312] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02FB9976
.text C:\WINDOWS\system32\wuauclt.exe[312] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02FB9C8B
.text C:\WINDOWS\system32\wuauclt.exe[312] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02FB9A57
.text C:\WINDOWS\system32\wuauclt.exe[312] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02FB9B2A
.text C:\WINDOWS\system32\winlogon.exe[484] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 01462946
.text C:\WINDOWS\system32\DllHost.exe[524] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FD9DD9
.text C:\WINDOWS\system32\DllHost.exe[524] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FD9976
.text C:\WINDOWS\system32\DllHost.exe[524] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FD9C8B
.text C:\WINDOWS\system32\DllHost.exe[524] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FD9A57
.text C:\WINDOWS\system32\DllHost.exe[524] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FD9B2A
.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[592] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 006B9DD9
.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[592] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006B9976
.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[592] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 006B9C8B
.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[592] WS2_32.dll!recv 71AB676F 5 Bytes JMP 006B9A57
.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[592] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 006B9B2A
.text C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe[1084] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 037C9DD9
.text C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe[1084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 037C9976
.text C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe[1084] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 037C9C8B
.text C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe[1084] WS2_32.dll!recv 71AB676F 5 Bytes JMP 037C9A57
.text C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe[1084] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 037C9B2A
.text C:\WINDOWS\Explorer.EXE[1328] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 01572758
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C49DD9
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C49976
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C49C8B
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C49A57
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C49B2A
.text C:\WINDOWS\BCMSMMSG.exe[1584] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D19DD9
.text C:\WINDOWS\BCMSMMSG.exe[1584] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D19976
.text C:\WINDOWS\BCMSMMSG.exe[1584] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D19C8B
.text C:\WINDOWS\BCMSMMSG.exe[1584] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D19A57
.text C:\WINDOWS\BCMSMMSG.exe[1584] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D19B2A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1796] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DD9DD9
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1796] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DD9976
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1796] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DD9C8B
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1796] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DD9A57
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1796] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DD9B2A
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1880] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe[1932] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA9DD9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe[1932] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA9976
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe[1932] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA9C8B
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe[1932] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA9A57
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe[1932] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA9B2A
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01219DD9
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01219976
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01219C8B
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01219A57
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01219B2A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2304] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2736] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE9DD9
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DE9976
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DE9C8B
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE9A57
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DE9B2A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2796] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01DA9DD9
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2796] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01DA9976
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2796] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01DA9C8B
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2796] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01DA9A57
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2796] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01DA9B2A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2988] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe[3068] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DC9DD9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe[3068] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DC9976
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe[3068] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DC9C8B
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe[3068] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DC9A57
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe[3068] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DC9B2A
.text C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe[3188] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E29DD9
.text C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe[3188] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E29976
.text C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe[3188] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E29C8B
.text C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe[3188] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E29A57
.text C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqbam08.exe[3188] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E29B2A
.text C:\WINDOWS\System32\alg.exe[4076] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B59DD9
.text C:\WINDOWS\System32\alg.exe[4076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B59976
.text C:\WINDOWS\System32\alg.exe[4076] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B59C8B
.text C:\WINDOWS\System32\alg.exe[4076] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B59A57
.text C:\WINDOWS\System32\alg.exe[4076] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B59B2A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:43 AM

Posted 30 January 2011 - 03:04 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:43 AM

Posted 02 February 2011 - 12:54 PM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:43 AM

Posted 05 February 2011 - 01:44 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users