I Think My Pc is Infected!! Google Links Are Being Redirected to Other Sites

katee82 · #1 20th Aug 2009, 16:02

Hi i seem to have a problem with my pc, everytime i click a link on google i am redirected to other sites, some which refuse to close and i have to open task manager to close the page. I use windows xp and i am currently using firefox as my main browser, but i tried using internet explorer and had the same problem, i also have tried using yahoo and again have the same problem. Avg and spybot cannot update and my computer is running really slowly. I downloaded malwarebytes and it found 17 infections and got rid of them all, however i am still having the same problems.

I have just had two warnings falsh up on avast warning me a trojan has been detected. I have moved them both to chest.

first warning - file name - C:/system Volume Information\-restore {5FED904E-6E1E-4B49-8681}

second warning - file name - D:\Documents and Settings\tony.tee\local settings\tempory inter
malware name - JS:fakeAV-V (trj)

Below are my logs for hijack this, malwarebytes and super anti spyware

Thankyou for any help in advance, i am going out of my mind with worry.

hijack this log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:51:39, on 20/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Apps\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Apps\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bi...e=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.msn.com/flash/?mkt=...rsion=9,0,28,0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Apps\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9460 bytes

malware bytes log -

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

20/08/2009 17:00:42
mbam-log-2009-08-20 (17-00-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 242192
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c3221010-0ad7-4c09-b17b-edcffda4b7f9} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{c3221010-0ad7-4c09-b17b-edcffda4b7f9} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{c3221010-0ad7-4c09-b17b-edcffda4b7f9} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wscmp.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS68b3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\tony.tee\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.

super anti spyware log -

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/20/2009 at 11:31 PM

Application Version : 4.27.1002

Core Rules Database Version : 4065
Trace Rules Database Version: 2005

Scan type : Complete Scan
Total Scan Time : 01:25:24

Memory items scanned : 615
Memory threats detected : 0
Registry items scanned : 7313
Registry threats detected : 0
File items scanned : 109156
File threats detected : 3

Adware.Tracking Cookie
D:\Documents and Settings\tony.tee\Cookies\tony@admarketplace[1].txt
D:\Documents and Settings\tony.tee\Cookies\tony@bridge1.admarketpla ce[1].txt

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\TDSSMTVD.DAT

peteyflow · #2 20th Aug 2009, 21:16

You can just reformat your computer, and then buy a virus protection software, and install it. Trust me. It's really worth spending 50 bucks on virus protection.

**evilfantasy** · #3 21st Aug 2009, 08:52

Quote:

Originally Posted by peteyflow

You can just reformat your computer, and then buy a virus protection software, and install it. Trust me. It's really worth spending 50 bucks on virus protection.

There is no extra protection with a paid antivirus and Avast is one of the best. Most infections are user error...

@ katee82

Download GooredFix from one of the locations below and save it to your desktop

Download Mirror #1
Download Mirror #2

* Ensure all Firefox windows are closed.
* To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
* When prompted to run the scan, click Yes.
* GooredFix will check for infections, and then a log will appear.

Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

katee82 · #4 24th Aug 2009, 03:39

hi thanks for getting back to me, i have run both scans...below are my logs

gooredfix -

GooredFix by jpshortstuff (12.07.09)
Log created at 11:15 on 24/08/2009 (tony)
Firefox version 3.0.13 (en-GB)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [13:06 08/01/2007]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [17:06 18/07/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [10:58 22/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [07:41 11/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extens ions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [10:58 22/04/2009]

-=E.O.F=-

rootrepeal -

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 11:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6E08000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADF0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB55D5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RootRepeal\settings.dat
Status: Visible to the Windows API, but not on disk.

Path: d:\documents and settings\tony.tee\local settings\temp\etilqs_fpndedbz8kuh5btchmif
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: d:\documents and settings\tony.tee\local settings\temp\etilqs_htxteknheh8mbdbcv2e9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\katee.coe@btinternet.com\ SharingMetadata\vegetasilva@hotmail.co.uk\DFSR\Sta ging\CS{1A7D0FFB-26CA-7C4B-13D8-B95ECD7F5520}\14\137-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\katee.coe@btinternet.com\ SharingMetadata\vegetasilva@hotmail.co.uk\DFSR\Sta ging\CS{1A7D0FFB-26CA-7C4B-13D8-B95ECD7F5520}\71\76-{E8F8D2CB-C223-4C16-87A1-F65EB7E6B9D8}-v71-{E8F8D2CB-C223-4C16-87A1-F65EB7E6B9D8}-v76-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\katee.coe@btinternet.com\ SharingMetadata\vegetasilva@hotmail.co.uk\DFSR\Sta ging\CS{1A7D0FFB-26CA-7C4B-13D8-B95ECD7F5520}\85\90-{E8F8D2CB-C223-4C16-87A1-F65EB7E6B9D8}-v85-{E8F8D2CB-C223-4C16-87A1-F65EB7E6B9D8}-v90-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\11\11-{57~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\12\12-{57~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\14\764-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\19\768-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\20\773-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\22\774-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\23\775-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\Documents and Settings\tony.tee\Local Settings\Application Data\Microsoft\Messenger\teekutz@hotmail.co.uk\Sha ringMetadata\smiggy3@hotmail.com\DFSR\Staging\CS{0 421BF8C-2D32-C9B0-8785-F709C90921D9}\60\761-{7~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eaca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6eac8ae

==EOF==

**evilfantasy** · #5 24th Aug 2009, 07:15

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

katee82 · #6 24th Aug 2009, 08:14

i can't seem to post my log, when i try it says that there are too many characters

**evilfantasy** · #7 24th Aug 2009, 09:46

Upload the file to File Dropper

Click Upload
Locate the file and double click it.
Copy the link under Share This Link: and post it back here.

katee82 · #8 24th Aug 2009, 10:01

Hi thanks, here is the link

http://www.filedropper.com/combofix3

**evilfantasy** · #9 24th Aug 2009, 10:23

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Driver::
ddnsfilter
DnsFilter

Folder::
c:\program files\DDnsFilter

File::
c:\windows\system32\drivers\DnsFilter.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"ddnsfilter"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze