1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved google redirects to other search engines 2

Discussion in 'Malware and Virus Removal Archive' started by joemamma, 2010/06/05.

Page 1 of 3
  1. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    [Resolved] google redirects to other search engines 2

    forgot to add the dds file

    hi there, i jsut want to say thanks in advance for anyhelp i get.

    its seems that when i search on google, i am redirected to other search sites.
    i ran shaw secure, spybot sd, registrery repair wizard and got no results. i used a previous backup of my registery via registery repair wizard, and it made things worse. i used a system restore point to get back to a prevoius settings. i looked on other forums and used the program unhackme.
    i tried updating windows but it say there was error code 80072efe and cant update. othertimes i get a message saying that the host process for windows service stopped working.

    dds report

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by SYSTEM at 16:01:48.73 on 05/06/2010
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.2.1033.18.2814.1386 [GMT -5:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    FW: Shaw Secure 2.0 7.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Shaw Secure\Common\FSHDLL32.EXE
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\SMINST\BLService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
    C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\config\systemprofile\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ca/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=83&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=83&bd=Pavilion&pf=cnnb
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\shaw secure\nrs\iescript\baselitmus.dll
    TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\shaw secure\nrs\iescript\baselitmus.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
    mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRunOnce: [c:\progra~1\canon\zoombr~1\program\canonm~1.dll] c:\windows\system32\regsvr32.exe /s "c:\progra~1\canon\zoombr~1\program\CANONM~1.DLL "
    mRunOnce: [c:\progra~1\canon\camera~1\camera~1\stireg~1.dll] c:\windows\system32\regsvr32.exe /s "c:\progra~1\canon\camera~1\camera~1\STIREG~1.DLL "
    mRunOnce: [c:\progra~1\canon\zoombr~2\stireg~1.dll] c:\windows\system32\regsvr32.exe /s "c:\progra~1\canon\zoombr~2\STIREG~1.DLL "
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\windows\system32\config\system~1\appdata\roaming\mozilla\firefox\profiles\aotoz5cw.default\
    FF - component: c:\program files\shaw secure\nrs\litmus-ff@f-secure.com\components\litmus-ff.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-2-14 33920]
    R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\shaw secure\hips\drivers\fshs.sys [2010-2-14 68064]
    R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2008-11-2 35792]
    R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-2 71040]
    R1 fsvista;F-Secure Vista Support Driver;c:\program files\shaw secure\anti-virus\minifilter\fsvista.sys [2008-11-2 12384]
    R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2008-11-2 215648]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-5 361808]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2008-11-2 113856]
    R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2010-2-14 55992]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
    S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-6-3 35816]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-11 133104]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-5 193840]
    S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-6-3 24416]
    S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2008-11-2 39776]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2008-11-2 25184]

    =============== Created Last 30 ================

    2010-06-05 18:28:48 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-06-05 18:28:31 0 d-----w- c:\program files\Panda Security
    2010-06-05 07:41:21 0 d-----w- c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
    2010-06-05 07:41:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-05 07:41:12 0 d-----w- c:\programdata\Malwarebytes
    2010-06-05 07:41:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-05 07:41:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-04 05:45:51 0 d-sh--r- C:\desktop.ini
    2010-06-04 05:45:51 0 d-sh--r- C:\comment.htt
    2010-06-04 05:45:51 0 d-sh--r- C:\autorun.inf
    2010-06-04 05:00:09 0 d-----w- c:\windows\system32\catroot2
    2010-06-04 01:08:54 0 d-----w- c:\windows\RestoreSafeDeleted
    2010-06-04 00:57:16 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
    2010-06-04 00:44:05 2 --shatr- c:\windows\winstart.bat
    2010-06-04 00:43:53 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
    2010-06-04 00:43:52 37600 ----a-w- c:\windows\system32\Partizan.exe
    2010-06-04 00:43:32 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
    2010-06-04 00:43:21 0 d-----w- c:\program files\UnHackMe
    2010-06-03 16:31:17 0 ----a-w- C:\div9388.tmp
    2010-06-03 16:31:14 0 ----a-w- C:\div888F.tmp
    2010-06-03 05:19:04 0 d-----w- C:\$regrest
    2010-06-03 05:08:56 0 d-----w- c:\programdata\Hitman Pro
    2010-05-20 04:03:53 0 d-----w- c:\program files\common files\PX Storage Engine

    ==================== Find3M ====================

    2010-06-05 18:20:36 683776 ----a-w- c:\windows\system32\perfh00C.dat
    2010-06-05 18:20:36 135064 ----a-w- c:\windows\system32\perfc00C.dat
    2010-06-05 18:19:23 127444 ----a-w- c:\programdata\nvModes.dat
    2010-01-19 07:20:07 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-01-19 07:20:07 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-01-19 07:20:04 86016 ----a-w- c:\windows\inf\infstor.dat
    2009-01-26 01:45:21 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-08-05 10:34:31 37390 ----a-w- c:\windows\inf\perflib\040c\perfd.dat
    2008-08-05 10:34:31 37390 ----a-w- c:\windows\inf\perflib\040c\perfc.dat
    2008-08-05 10:34:31 340236 ----a-w- c:\windows\inf\perflib\040c\perfi.dat
    2008-08-05 10:34:31 340236 ----a-w- c:\windows\inf\perflib\040c\perfh.dat
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2008-11-03 00:54:02 22 --sha-w- c:\windows\sminst\HPCD.sys
    2008-08-05 10:37:23 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 16:03:29.96 ===============



    panda active scan results

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2010-06-05 15:41:03
    PROTECTIONS: 1
    MALWARE: 7
    SUSPECTS: 2
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    Shaw Secure 9.01 Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
    00007432 Univ Virus No 0 Yes No c:\program files\shaw secure\fsaua\content\aquawin32\1275742270\cran.cvd
    00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\users\extra\appdata\roaming\microsoft\windows\cookies\extra@trafficmp[2].txt
    00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\prabhjit\appdata\roaming\microsoft\windows\cookies\prabhjit@com[1].txt
    00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\extra\appdata\roaming\microsoft\windows\cookies\extra@apmebf[2].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\extra\appdata\roaming\microsoft\windows\cookies\extra@zedo[2].txt
    00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\users\extra\appdata\roaming\microsoft\windows\cookies\extra@bluestreak[2].txt
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No c:\program files\shaw secure\hips\fshs.sys
    No g:\bleach 2\precracked-winrar.3.71\winrar.exe
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================


    malwarebyte results

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    05/06/2010 2:52:00 AM
    mbam-log-2010-06-05 (02-52-00).txt

    Scan type: Quick scan
    Objects scanned: 132853
    Time elapsed: 7 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    joemamma,
    #1
  2. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    2nd part of DDS log (Attach.txt) is missing. Please, post it.
    Then...

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    =============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    i forgot to mention that i split my drive into 2 partitions, C: which has all system files, and G: which has my other stuff like .exe programs incase i need to install, media etc/
    should i also scan the G drive?
     
    joemamma,
    #3
  5. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you're talking about GMER, then no.
     
    broni,
    #4
  6. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    got a bit of a problem, my laptop restarted and all the attach, gmer, combofix files are gone. i gotta redownload and run them to get the logs again.
     
    joemamma,
    #5
  7. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
    Take your time :)
     
    broni,
    #6
  8. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    here is the attach file for dds


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/9/2008 4:41:06 AM
    System Uptime: 6/5/2010 5:08:53 PM (0 hours ago)

    Motherboard: Wistron | | 303C
    Processor: AMD Athlon Dual-Core QL-60 | Socket A | 1900/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 159 GiB total, 82.508 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.684 GiB free.
    E: is CDROM ()
    G: is FIXED (NTFS) - 129 GiB total, 104.713 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0004
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter
    PNP Device ID: ROOT\*ISATAP\0004
    Service: tunnel

    ==== System Restore Points ===================

    RP206: 4/15/2010 8:11:41 PM - Scheduled Checkpoint
    RP207: 4/16/2010 9:29:23 PM - Language Pack Removal
    RP208: 4/18/2010 2:52:19 AM - Scheduled Checkpoint
    RP209: 4/20/2010 1:23:59 AM - Scheduled Checkpoint
    RP210: 4/21/2010 12:00:01 AM - Scheduled Checkpoint
    RP211: 4/22/2010 1:57:39 AM - Language Pack Removal
    RP212: 4/22/2010 2:05:26 PM - Scheduled Checkpoint
    RP213: 4/23/2010 2:22:27 AM - Scheduled Checkpoint
    RP214: 4/24/2010 1:00:59 AM - Scheduled Checkpoint
    RP215: 4/24/2010 11:58:16 PM - Language Pack Removal
    RP216: 4/25/2010 3:10:33 PM - Scheduled Checkpoint
    RP217: 4/28/2010 9:39:12 PM - Scheduled Checkpoint
    RP218: 4/30/2010 12:13:04 AM - Scheduled Checkpoint
    RP219: 5/2/2010 1:43:23 AM - Language Pack Removal
    RP220: 5/3/2010 11:37:19 AM - Scheduled Checkpoint
    RP221: 5/4/2010 7:32:05 PM - Scheduled Checkpoint
    RP222: 5/9/2010 5:38:20 PM - Scheduled Checkpoint
    RP223: 5/11/2010 6:22:30 PM - Scheduled Checkpoint
    RP224: 5/13/2010 9:48:14 PM - Language Pack Removal
    RP225: 5/14/2010 7:24:02 PM - Scheduled Checkpoint
    RP226: 5/15/2010 8:21:19 PM - Language Pack Removal
    RP227: 5/17/2010 11:55:21 PM - Scheduled Checkpoint
    RP228: 5/19/2010 5:40:43 PM - Scheduled Checkpoint
    RP229: 5/21/2010 8:38:14 PM - Language Pack Removal
    RP230: 5/23/2010 2:48:21 AM - Scheduled Checkpoint
    RP231: 5/24/2010 6:28:13 PM - Scheduled Checkpoint
    RP232: 5/25/2010 8:09:20 PM - Scheduled Checkpoint
    RP19: 6/3/2010 1:28:13 AM - Restore Operation

    ==== Installed Programs ======================

    2007 Microsoft Office Suite Service Pack 1 (SP1)
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.2
    Adobe Shockwave Player
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Atheros Driver Installation Program
    µTorrent
    Brother HL-2070N
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Combined Community Codec Pack 2008-09-21 16:18
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    Cortona3D Viewer
    CyberLink DVD Suite
    CyberLink YouCam
    ESU for Microsoft Vista
    F-Secure PSC Prerequisites
    GOM Player
    Google Update Helper
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP DVD Play 3.7
    HP Easy Setup - Frontend
    HP Help and Support
    HP Product Detection
    HP Quick Launch Buttons 6.40 D3
    HP Total Care Advisor
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    Indeo® Software
    Java(TM) 6 Update 5
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.6.2)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Drivers
    Panda ActiveScan 2.0
    Power2Go
    PVSonyDll
    QuickTime
    Realtek USB 2.0 Card Reader
    Registry Repair Wizard
    Remote Desktop Control 2.1.0.21 Trial
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office OneNote 2007 (KB950130)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Shaw Secure
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    Synaptics Pointing Device Driver
    UnHackMe 5.90 release
    Unlocker 1.8.5
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB957244)
    Update for Microsoft Office Excel 2007 Help (KB957242)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office OneNote 2007 Help (KB957245)
    Update for Microsoft Office PowerPoint 2007 Help (KB957247)
    Update for Microsoft Office Word 2007 Help (KB957252)
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR
    WinZip 12.0

    ==== Event Viewer Messages From Past Week ========

    6/3/2010 9:34:01 PM, Error: F-Secure Gatekeeper [1] -
    6/3/2010 12:40:08 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
    6/3/2010 12:40:08 AM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Task Scheduler service to connect.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Server service to connect.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IKE and AuthIP IPsec Keying Modules service to connect.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Experience service to connect.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7000] - The IKE and AuthIP IPsec Keying Modules service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 11:29:25 AM, Error: Service Control Manager [7000] - The Application Experience service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:52:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service winmgmt with arguments " " in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    6/3/2010 1:23:07 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the User Profile Service service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Themes service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the System Event Notification Service service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Shell Hardware Detection service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Multimedia Class Scheduler service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Group Policy Client service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Extensible Authentication Protocol service to connect.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7001] - The WLAN AutoConfig service depends on the Extensible Authentication Protocol service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7001] - The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7001] - The Windows Audio service depends on the Multimedia Class Scheduler service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The User Profile Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The System Event Notification Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The Group Policy Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/3/2010 1:22:33 AM, Error: Service Control Manager [7000] - The Extensible Authentication Protocol service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/2/2010 10:38:26 PM, Error: Microsoft-Windows-LanguagePackSetup [1003] - CBS error 0x800f0825 reported while operating on UI Language Pack for fr-FR
    6/2/2010 10:23:43 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    6/1/2010 11:08:39 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    6/1/2010 11:07:10 PM, Error: EventLog [6008] - The previous system shutdown at 6:27:11 AM on 01/06/2010 was unexpected.

    ==== End Of File ===========================
     
    joemamma,
    #7
  9. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    here is the gmer log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-05 18:12:01
    Windows 6.0.6001 Service Pack 1
    Running: gmer.exe; Driver: C:\Users\Prabhjit\AppData\Local\Temp\fgloakog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThread [0x90B26E8C]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwLoadDriver [0x90B271BC]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x90B26BCC]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwOpenSection [0x90B275EE]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwRenameKey [0x90B2888C]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSetSystemInformation [0x90B2743E]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendProcess [0x90B26A4C]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendThread [0x90B26EC0]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSystemDebugControl [0x90B27042]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateProcess [0x90B269A6]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateThread [0x90B26B06]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x90B26F86]
    SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x90B26EA6]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetTimerEx + 454 81EF8A18 4 Bytes [8C, 6E, B2, 90] {MOV WORD [ESI-0x4e], GS; NOP }
    .text ntkrnlpa.exe!KeSetTimerEx + 5B0 81EF8B74 4 Bytes [BC, 71, B2, 90]
    .text ntkrnlpa.exe!KeSetTimerEx + 5E0 81EF8BA4 4 Bytes [CC, 6B, B2, 90]
    .text ntkrnlpa.exe!KeSetTimerEx + 630 81EF8BF4 4 Bytes [EE, 75, B2, 90] {OUT DX, AL ; JNZ 0xffffffffffffffb5; NOP }
    .text ntkrnlpa.exe!KeSetTimerEx + 748 81EF8D0C 4 Bytes [8C, 88, B2, 90]
    .text ...
    .rsrc C:\Windows\system32\drivers\nvraid.sys entry point in ".rsrc" section [0x807A7014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 0091000A
    .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0092000A
    .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 0090000A
    .text C:\Windows\system32\svchost.exe[1160] ole32.dll!CoCreateInstance 76FAE188 5 Bytes JMP 00F7000A
    .text C:\Windows\system32\svchost.exe[1160] USER32.dll!GetCursorPos 769E0F5E 5 Bytes JMP 0142000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 000F000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0010000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 000E000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!DialogBoxIndirectParamW 769CBD25 5 Bytes JMP 6FC9076D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!DialogBoxParamW 769E1FD5 5 Bytes JMP 6FC906F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!DialogBoxParamA 76A080B2 5 Bytes JMP 6FC90732 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!DialogBoxIndirectParamA 76A083DD 5 Bytes JMP 6FC907A8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!MessageBoxIndirectA 76A1D471 5 Bytes JMP 6FC906B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!MessageBoxIndirectW 76A1D56B 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!MessageBoxIndirectW 76A1D56B 5 Bytes JMP 6FC9066F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!MessageBoxExA 76A1D5D1 5 Bytes JMP 6FC90635 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] USER32.dll!MessageBoxExW 76A1D5F5 5 Bytes JMP 6FC905FB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2832] ole32.dll!OleLoadFromStream 76F79726 5 Bytes JMP 6FC9096A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Windows\Explorer.EXE[3544] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 006B000A
    .text C:\Windows\Explorer.EXE[3544] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 006C000A
    .text C:\Windows\Explorer.EXE[3544] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 006A000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 85779D01

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xA8 0x45 0x13 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x8F 0xEC 0xA8 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0xAA 0xB9 0xDF ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xA8 0x45 0x13 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x8F 0xEC 0xA8 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0xAA 0xB9 0xDF ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E4EC8F3-3D55-AB64-7CDD-8A9138A74C9B}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E4EC8F3-3D55-AB64-7CDD-8A9138A74C9B}@iaaaicjkliededhigk 0x6A 0x61 0x65 0x6A ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E4EC8F3-3D55-AB64-7CDD-8A9138A74C9B}@haoaoaficajcdpfm 0x6A 0x61 0x65 0x6A ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E4EC8F3-3D55-AB64-7CDD-8A9138A74C9B}@habfkakiagfmoccf 0x66 0x61 0x66 0x6A ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\nvraid.sys suspicious modification
    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
    joemamma,
    #8
  10. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)
    Go on...
     
    broni,
    #9
  11. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    quick question, cobofix has been scanning for good 20 minutes.

    all i see is a blue screen with the following written on it:

    Scanning for infected files . . .
    this typiucally doesn't take more than 10 minutes
    However, scan time for badly infected machines may easily double


    is there supposed to be something else that occurs such as showing which files are being scanned or im guessin that i gotta wait for the program to do its thing.
     
    joemamma,
    #10
  12. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're infected with a rootkit, so it may take Combofix a while to find healthy replacement for the infected file.
    At some point, you should start seeing:
    stage 1
    stage 2....
     
    broni,
    #11
  13. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    k thanks for the quick reply
     
    joemamma,
    #12
  14. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    :)...
     
    broni,
    #13
  15. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    i also disconnected from the internet before i ran combofix, was i supposed to leave it connected?
     
    joemamma,
    #14
  16. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It doesn't matter, because Combofix will disconnect you from the net anyway. For the time of scanning.
     
    broni,
    #15
  17. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    hey, i ran combofix, and it said that it detected root activity and the system has to restart. i clicked okay and i think my system froze. all i see the my background picture and mouse with a blue circle. should i restart the system by turning the power off and on?
     
    joemamma,
    #16
  18. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, go ahead and let me know what happens.
     
    broni,
    #17
  19. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    k i restarted the laptop and regrun reanimator came up
    it said that it found some suspicous item (combofix) which i ignored and a cookie that was named "catchme" that was prohibited. the cookie was deleted and i came back to my account
     
    joemamma,
    #18
  20. 2010/06/05
    joemamma

    joemamma Inactive Thread Starter

    Joined:
    2010/06/05
    Messages:
    34
    Likes Received:
    0
    also there was no combofix report
     
    joemamma,
    #19
  21. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, I don't know, what "regrun reanimator" is, but either disable it, or ignore any warnings from it. "Catchme" is legit, part of Combofix.

    Now....

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...