Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log from Possible Rootkit or


  • This topic is locked This topic is locked
2 replies to this topic

#1 paddoce

paddoce

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 13 November 2011 - 01:17 PM

I see from other posts the DDS is the preferred tool. Here is a the log from a DDS scan:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Cynthia Paddock at 13:56:51 on 2011-11-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2066 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080623
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=c:\documents and settings\cynthia paddock\local settings\application data\41067fdd\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [PMX Daemon] ICO.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\cynthi~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8BE9FC8C-4574-4DD1-B5C3-3C4EEEFAA86D} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cynthia paddock\application data\mozilla\firefox\profiles\86mwd7aq.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-13 64512]
R2 iRacingService;iRacing.com Helper Service;c:\program files\iracing\iRacingService.exe [2008-6-26 511136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-10-3 2255464]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-10-3 119528]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-6-26 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-6-26 14336]
S2 gupdate1ca812793bc5482;Google Update Service (gupdate1ca812793bc5482);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-11-13 15:58:48 388096 ----a-r- c:\documents and settings\cynthia paddock\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-13 14:58:30 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-13 14:42:54 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-13 14:35:09 -------- d-----w- c:\documents and settings\cynthia paddock\local settings\application data\adaware
2011-11-13 14:35:08 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2011-11-13 14:35:07 -------- d-----w- c:\program files\Toolbar Cleaner
2011-11-13 14:35:02 -------- d-----w- c:\program files\adawaretb
2011-11-13 14:35:02 -------- d-----w- c:\documents and settings\cynthia paddock\application data\adawaretb
2011-11-13 14:34:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-13 14:34:53 -------- d-----w- c:\program files\Lavasoft
2011-11-13 13:26:19 -------- d-----w- c:\program files\ESET
2011-11-13 12:47:35 821760 ----a-w- c:\documents and settings\all users\application data\privacy.exe
2011-11-05 16:29:13 -------- d-sh--w- C:\found.000
2011-11-05 13:29:43 -------- d-s---w- C:\ComboFix
2011-11-05 12:29:59 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-05 12:27:16 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-05 12:25:27 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-11-05 12:21:35 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-05 12:20:25 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-11-05 04:10:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-05 04:02:53 -------- d-sha-r- C:\cmdcons
2011-11-05 03:09:25 1563952 ----a-w- C:\asdf234.com
2011-10-31 11:55:43 -------- d-----w- c:\documents and settings\all users\application data\CanonIJSolutionMenuEX
2011-10-31 10:47:48 -------- d-----w- c:\documents and settings\all users\application data\CanonIJPLM
2011-10-30 21:21:57 -------- d-----w- c:\program files\common files\CANON
2011-10-30 21:21:49 -------- d-----w- c:\documents and settings\all users\application data\CanonIJWSpt
2011-10-30 21:19:17 83968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPPAT.DLL
2011-10-30 21:19:17 310272 ----a-w- c:\windows\system32\CNMLMAT.DLL
2011-10-30 21:19:17 29184 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPDAT.DLL
2011-10-30 21:18:52 363008 ----a-w- c:\windows\system32\CNMNPPM.DLL
2011-10-30 21:18:52 35328 ----a-w- c:\windows\system32\CNMNPUI.DLL
2011-10-30 21:18:52 -------- d-----w- c:\windows\system32\STRING
2011-10-30 21:15:23 -------- d-----w- c:\program files\Canon
.
==================== Find3M ====================
.
2011-11-13 12:46:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-04 02:12:47 280276 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-10-04 02:12:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-10-04 02:12:45 280276 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 13:57:34.87 ===============

GMER Log Confirmed Rootkit activity:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-13 19:39:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0 Hitachi_ rev.GM4O
Running: gmer.exe; Driver: C:\DOCUME~1\CYNTHI~1\LOCALS~1\Temp\pxdyapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB80F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB80F8BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB64E13A0, 0x8A1A15, 0xE8000020]
.PAGE1 C:\WINDOWS\system32\DRIVERS\redbook.sys unknown last section [0xA869C800, 0x100, 0xC0000040]
? C:\DOCUME~1\CYNTHI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1592] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AC350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1592] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AC2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1592] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1592] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\svchost.exe[3328] USER32.dll!DialogBoxIndirectParamAorW 7E4249D0 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01262EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02300001
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!send 71AB4C27 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3936] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71930F5A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A44A2D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A86FF000-A870D000 (57344 bytes)
Module (noname) (*** hidden *** ) B086A000-B0873000 (36864 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:604] B086E3E0
Thread System [4:608] B086E3E0
Thread System [4:612] 89C09330
Thread System [4:616] 89C09330

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\S157F1WJ.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\ODNSL1IP.txt 92 bytes
File C:\Documents and Settings\LocalService\Cookies\OG01N3SF.txt 1126 bytes
File C:\Documents and Settings\LocalService\Cookies\XNT3K2P5.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\DKM7DLXX.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\LEDJBGTN.txt 1125 bytes
File C:\Documents and Settings\LocalService\Cookies\P9WGBTON.txt 118 bytes
File C:\Documents and Settings\LocalService\Cookies\PA408403.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\QIP4G1K7.txt 7050 bytes
File C:\Documents and Settings\LocalService\Cookies\9OF2239Y.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\50UX7VVS.txt 92 bytes
File C:\Documents and Settings\LocalService\Cookies\89ABMCJ3.txt 3632 bytes
File C:\Documents and Settings\LocalService\Cookies\K2QDF2U6.txt 5165 bytes
File C:\Documents and Settings\LocalService\Cookies\I983QUTQ.txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\ZLE9W3I2.txt 502 bytes
File C:\Documents and Settings\LocalService\Cookies\N5TGRDNN.txt 584 bytes
File C:\Documents and Settings\LocalService\Cookies\NBMLKQPK.txt 734 bytes
File C:\Documents and Settings\LocalService\Cookies\HIJAVNUE.txt 103 bytes
File C:\Documents and Settings\LocalService\Cookies\0XF7JR3W.txt 1708 bytes
File C:\Documents and Settings\LocalService\Cookies\18VR68V5.txt 1227 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\19VFL4IZ\taylor-lautner-110211-1[1].jpg 6304 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\19VFL4IZ\Erin%20Heatherton-11012011-02[1].jpg 4267 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\19VFL4IZ\afr[1].php 1236 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\dw-kanye-01[1].jpg 5729 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\ddc[1].htm 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\json[2] 3872 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\box1-b[1].png 1035 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\butter-110611-4[1].jpg 5576 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\b[3].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\beacon[1].txt 69 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\bar-pass-fw11-1[1].jpg 4092 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\base64[1].js 1642 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\logging_impressions[1].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\login_status[5].php 58 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\tabs-bg[1].gif 55 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\detect[1].act 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\TSRq[1].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\capitol%204th.thumbnail[1].jpg 2055 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\weather[1].js 49039 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\top-grey[1].gif 96 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\tracking_packaged[1].js 4343 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\main-nav-rss[1].png 2482 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\marisa-tomei-5[1].txt 38265 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\dref=http%253A%252F%252Fcelebrity-gossip[1].net%252Fides-march%252Fphoto%252Fmarisa-tomei-5 817 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\;sz=300x100;ord=8161506126237008[1] 454 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\111211_anhq_raye_640[1].jpg 2613 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\114635048_10[1].jpg 5428 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\1273527718001[1].js 2595 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\json[7] 26 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\0311_003_B_300250_A[1].gif 34167 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\en.e183a08d8036be20276c85bd40e31e4b[1].png 3323 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\gossipcenter[1].htm 662 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\iframe3[1].htm 2330 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\ajs[4].php 3299 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\ca[3] 6001 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\50th%20Annual%20Congressional%20Baseball%20Game%208.thumbnail[1].jpg 2191 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\OVE58G9MM_tmb[1].jpg 3790 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\page[1].js 50964 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN0Q7RSL\ros[1] 1861 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\ros[1] 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\ros[2] 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\view[1].gif 35 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\pingCAFNALN5.gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\pingCAPI16QT.gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\dref=http%253A%252F%252Fwww.gossipcenter[1].com%252Fcelebrity_rankings 817 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\beacon[1].txt 69 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\beacon[2].txt 69 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\AdServerServlet[1].htm 1379 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\517147591_c_large[1].jpg 12558 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\spc[1].php 14024 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\subodh[1].jpg 2769 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\607CAIV6O1Q.js 630 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\ddc[1].htm 11257 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\de2447110f509fe7023bc99ffe27c0235eeb9f8a[1].jpg 876 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\set-leaf-7c128546a0ee9871cd32a8f3e187ad6e[1].js 359949 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\set[1].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\testimonials_bg[1].jpg 339 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\banner_tutoring04[1].gif 45413 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\bCARMSELL.gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\yp_sprite_2[1].png 6290 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YS13GOM1\365ea1694ed239e5[1].jpg 17929 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989 0 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\L 0 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\L\iahonoel 57600 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\loader.tlb 2632 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U 0 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@000000c0 3072 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@80000000 23040 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@800000c0 35840 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@800000cb 23040 bytes
File C:\WINDOWS\$NtUninstallKB49444$\1090944989\U\@800000cf 29184 bytes
File C:\WINDOWS\$NtUninstallKB49444$\243012790 0 bytes

---- EOF - GMER 1.0.15 ----




I believe I have a rootkit virus causing redirects with other stuff. Thanks in advance for your help. Here is the Hijack Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:12:17 PM, on 11/13/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080623
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080623
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-2548797056-1955435431-60165-1010\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1ca812793bc5482) (gupdate1ca812793bc5482) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing.com Helper Service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7242 bytes

Edited by paddoce, 13 November 2011 - 08:40 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 18 November 2011 - 01:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427715 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 23 November 2011 - 01:25 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users