Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Internet Explorer Hijacking/redirecting malware from System Restore Virus

  • This topic is locked This topic is locked
3 replies to this topic

#1 Slyrad


  • Members
  • 1 posts
  • Local time:03:00 AM

Posted 21 October 2011 - 11:23 PM

Hello Bleeping Computers!

I recently sustained a lousy phoney "System Restore" virus, which included an Internet Explorer hijacker. I've managed to remove the System Restore virus, but the Internet Explorer hijacker remains. It seems to cause Internet Explorer to run in the background, slowly taking up more and more ram (up to 900 megabytes), and occasionally it spams me a link to some file download which I always deny. It also causes some redirecting issues on Firefox, even when I've change Internet Explorer's proxy settings to make it inoperable.

Strangely, a lot of the registry entries that some of the System Restore virus removal walkthroughs listed for removal, were nowhere to be found in my registry, which I imagine has something to do with this persistent hijacking, but have left me scratching my head as I am unable to find them in my registry. Many of these missing malicious registry entries were related to Internet Explorer, but also my "Policies" folder in my Microsoft registry didn't have any sub-folders which it was supposed to, under any of the different "users" or "local machine." Anyway I just thought I'd give you a little backstory before you help me out!

Here are my DDS and GMER Logs as requested in the guide.

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
Run by Conrad at 19:26:42 on 2011-10-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.4094.1704 [GMT -7:00]
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\Internet Explorer\IEUser.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\StarCraft II\StarCraft II.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Exterminate It!\ExterminateIt.exe
C:\Program Files (x86)\StarCraft II\Support\BlizzardDownloader.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer =
uURLSearchHooks: H - No File
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
TB: GOM Player + Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [<NO NAME>]
uRun: [AdobeBridge]
uRun: [Octoshape Streaming Services] "C:\Users\Conrad\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Memeo Instant Backup] "C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" --silent --no_ui
mRun: [Memeo AutoSync] "C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe" --silent
mRun: [Seagate Dashboard] "C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" --silent --no_ui
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNzY3MzcyNTAyLVQ1LUJBKzEtS1YzKzctWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LVhPMzYrMS1GOU0xMEIrMi1YTzkrMS1GOU0yKzEtVFVHKzMtRERUKzA"&"prod=55"&"ver=10.0.1382
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer =
TCP: Interfaces\{19E632EF-0DF5-4BE4-A18C-53A418667FCB} : DhcpNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: GOM Player + Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Veoh Browser Plug-in: {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
TB-X64: GOM Player + Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [(Default)]
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Memeo Instant Backup] "C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" --silent --no_ui
mRun-x64: [Memeo AutoSync] "C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe" --silent
mRun-x64: [Seagate Dashboard] "C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" --silent --no_ui
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNzY3MzcyNTAyLVQ1LUJBKzEtS1YzKzctWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LVhPMzYrMS1GOU0xMEIrMi1YTzkrMS1GOU0yKzEtVFVHKzMtRERUKzA"&"prod=55"&"ver=10.0.1382
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\mt9tjfmt.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=GOM2&o=16133&locale=en_US&apn_uid=4ABAE31F-7D9B-4504-9987-14B9C0037C40&apn_ptnrs=QL&apn_sauid=CF656A25-686E-4894-A478-4AFCF8502CEF&apn_dtid=YYYYYYYYCA&q=
FF - prefs.js: network.proxy.type - 4
FF - component: C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\mt9tjfmt.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Download Manager\npfpdlm.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Conrad\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll
FF - plugin: C:\Users\Conrad\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll
FF - plugin: C:\Users\Conrad\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: C:\Users\Conrad\AppData\Roaming\Facebook\npfbplugin_1_0_0.dll
FF - plugin: C:\Users\Conrad\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\Users\Conrad\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Users\Conrad\Program Files (x86)\DNA\plugins\npbtdna.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 aksdf;aksdf;C:\Windows\system32\DRIVERS\aksdf.sys --> C:\Windows\system32\DRIVERS\aksdf.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-5-4 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-6-1 14088]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\system32\Wacom_Tablet.exe --> C:\Windows\system32\Wacom_Tablet.exe [?]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1c9d73580126e52;Google Update Service (gupdate1c9d73580126e52);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-5-17 133104]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-9-28 1431888]
S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-5-17 133104]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-9-16 19968]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-11-11 306416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-2-14 89920]
=============== File Associations ===============
regfile="regedit.exe" "%1"
=============== Created Last 30 ================
2011-10-22 02:01:13 -------- d-----w- C:\Program Files (x86)\Exterminate It!
2011-10-22 01:08:20 -------- d-----w- C:\Program Files (x86)\StarCraft II
2011-10-21 19:37:28 89048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-10-21 19:37:28 773080 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-10-21 19:37:28 478168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-10-21 19:37:28 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-10-21 19:37:28 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-10-21 19:37:28 1833944 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-10-21 19:37:28 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-10-21 19:37:28 134104 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-10-21 19:29:44 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5D9742E0-4668-45DA-8E66-FFA8456E51E8}\offreg.dll
2011-10-21 19:29:34 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5D9742E0-4668-45DA-8E66-FFA8456E51E8}\mpengine.dll
2011-10-17 04:04:57 -------- d-----w- C:\Program Files (x86)\NaturalSoft
2011-10-16 22:30:39 388096 ----a-r- C:\Users\Conrad\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-16 22:30:37 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-10-13 07:59:16 -------- d-----w- C:\Users\Conrad\AppData\Local\dxhr
2011-10-13 07:58:30 -------- d-----w- C:\Users\Conrad\AppData\Local\28050
2011-10-13 07:28:02 -------- d-----w- C:\Program Files (x86)\Square Enix
2011-10-13 01:10:19 -------- d-----w- C:\DeusEx
2011-10-12 20:13:15 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-10-12 04:03:41 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-11 14:21:08 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F45F9EFA-9132-4934-9F85-5EDF7CAA5CFD}\gapaengine.dll
2011-10-11 14:16:34 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-10-11 14:16:06 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-10-11 14:15:25 345984 ----a-w- C:\Windows\System32\drivers\netio.sys
2011-10-11 14:10:17 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-10-11 14:02:15 -------- d-----w- C:\Users\Conrad\AppData\Roaming\AVG10
2011-10-11 07:24:04 -------- d-sh--w- C:\Users\Conrad\AppData\Local\7a144c55
2011-09-29 05:04:43 -------- d-----w- C:\ProgramData\boost_interprocess
2011-09-29 04:39:44 -------- d-----w- C:\Program Files\Common Files\Macrovision Shared
2011-09-23 04:18:08 -------- d-----w- C:\Program Files (x86)\World of Warcraft
2011-09-23 03:19:01 -------- d-----w- C:\Program Files (x86)\EA Sports
==================== Find3M ====================
2011-09-02 14:15:02 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-02 13:39:07 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-08-16 16:17:05 1032192 ----a-w- C:\Windows\System32\wininet.dll
2011-08-16 16:15:15 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-16 14:52:04 485376 ----a-w- C:\Windows\System32\html.iec
2011-08-16 14:20:55 389632 ----a-w- C:\Windows\SysWow64\html.iec
2011-07-29 16:08:29 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-07-29 16:08:27 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-07-29 16:06:52 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-07-29 16:06:42 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-07-29 16:01:34 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
============= FINISH: 19:37:01.40 ===============


GMER - http://www.gmer.net
Rootkit scan 2011-10-21 21:02:35
Windows 6.0.6002 Service Pack 2
Running: gmer.exe

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS09096.log 131072 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAOYMW9Q\4ea234f27ff07[1].htm 7956 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAOYMW9Q\2295581026[1].htm 6558 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAOYMW9Q\api[1].htm 784 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMD8F7B2\api[1].htm 784 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMD8F7B2\like[1].htm 27357 bytes
File C:\Users\Conrad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMD8F7B2\salmon-express[1].htm 82843 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\0F0GBTT5.txt 690 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\13YNS8UV.txt 0 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\F4477WES.txt 905 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\CN3AOZ20.txt 170 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\5W3ZXWUQ.txt 7604 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\IFPWFWPQ.txt 87 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\RWW7RK3I.txt 0 bytes
File C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\R65SDCTC.txt 0 bytes

---- EOF - GMER 1.0.15 ----

Thanks for any help on this matter. I figured out how to stop Internet Explorer from running in the background, but it involves editing the proxy in the LAN settings, which has some undesirable results, such as a lot of software seems to use Internet Explorer as web access, such as software like Steam or the Blizzard Launcher, which won't run unless I revert the proxy settings.

Anyway, I would obviously prefer to resolve this issue as opposed to blocking it temporarily. Strangely I have enjoyed having my computer being infected. It's brought me a little closer to understanding how it really works!

Again thanks for any help!


Attached Files

BC AdBot (Login to Remove)


#2 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,773 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:00 AM

Posted 25 October 2011 - 01:26 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop


    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,773 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:00 AM

Posted 28 October 2011 - 12:10 PM


48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,773 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:00 AM

Posted 01 November 2011 - 12:40 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users