Jump to content

Open Cloud Security hijack

Recommended Posts

Trying to recover my father's computer here........I bought the PRO ver of MBAM for him the last time he got infected, so I don't know why it didn't protect him from this, but I've followed the posted instructions. I can boot to safe mode, MBAM runs but then disappears. I have no WAN connection at the infected computer, but it is NOT setup for proxy server, so I don't know what's up with that. I've run the defogger, and while it did not give me an error message, it did not prompt me to reboot when it was done. I have a DDS log:


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421

Run by Robert J Rosso Sr at 10:58:27 on 2011-09-30

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1607 [GMT -4:00]


SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss


C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted






============== Pseudo HJT Report ===============


mStart Page = hxxp://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

uURLSearchHooks: N/A: {796b75f6-6187-47e2-8f1f-c16e059e6e19} - c:\program files\filmfanatic\bar\1.bin\paSrcAs.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Toolbar BHO: {631acb68-57c3-48af-9cc5-fcec0837ffd3} - c:\progra~1\filmfa~2\bar\1.bin\pabar.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Search Assistant BHO: {d5e9b421-c309-41de-9014-800a2adcdeb0} - c:\program files\filmfanatic\bar\1.bin\paSrcAs.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: FilmFanatic: {0b84b4b4-8af8-4f1f-91fe-074a666f6425} - c:\program files\filmfanatic\bar\1.bin\pabar.dll

TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Z88ffRZZ9hTwjCe8234A] c:\users\robert j rosso sr\appdata\roaming\czzppnyccauvdob\s4pppmG5sQJ.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [iYogi Support Dock] "c:\program files\iyogi support dock\iYogiSupportDock.exe"

mRun: [FilmFanatic Browser Plugin Loader] c:\progra~1\filmfa~2\bar\1.bin\pabrmon.exe

mRun: [selectRebates] c:\program files\selectrebates\SelectRebates.exe

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WMEtNQy1FOVZVVy1FVzBWQS1VVTNYTC1GRVc5Ny1PVTZF"&"inst=NzctNTYwODk2ODg2LUZMMTArMS1MSUMrOC1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzQyOTQ5MTg3ODUtREQxMEYrMS1TVDEwRkFQUCsxLUYxME0xMkFUKzMtRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtRjEwTTEyQVRCTisx"&"prod=90"&"ver=10.0.1410

mRunOnce: [GrpConv] grpconv -o

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-TU4O6.exe" /REG /REGSVRMODE

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\users\robert~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking10\program\natspeak.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

LSP: mswsock.dll

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

TCP: DhcpNameServer =

TCP: Interfaces\{9DA5979C-A11D-4EE3-9723-D911AF231DA3} : DhcpNameServer =

TCP: Interfaces\{BB061B13-EC18-4E70-A718-9FD9008A964E} : DhcpNameServer =

Notify: igfxcui - igfxdev.dll

Hosts: www.spywareinfo.com


============= SERVICES / DRIVERS ===============


S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 FilmFanaticService;FilmFanaticService;c:\progra~1\filmfa~2\bar\1.bin\pabarsvc.exe [2011-7-26 42504]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-18 21504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-24 136176]

S2 SupportDockService.exe;Support Dock Service;c:\program files\iyogi support dock\services\commagent\SupportDockService.exe [2011-6-13 73728]

S3 DCamUSBNovatek;USB2.0 UVC Camera;c:\windows\system32\drivers\nvtcam.sys [2010-7-14 2696960]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-11 54632]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-24 136176]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]


=============== Created Last 30 ================


2011-09-30 14:11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-30 14:11:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-30 14:11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-30 14:11:22 94896 ----a-w- c:\windows\system32\drivers\04298979.sys

2011-09-30 12:46:45 709968 ----a-w- c:\windows\is-TU4O6.exe

2011-09-30 12:26:12 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\ztzP0ycA1v2n4

2011-09-30 12:26:12 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\RmH5sQJ7dKgZhXj

2011-09-30 12:14:14 48016 --sha-w- c:\windows\system32\c_34746.nl_

2011-09-28 21:03:11 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\z6dWK7fRLg

2011-09-28 21:03:11 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\QUCekIBrNx0v2pG

2011-09-28 19:39:22 2456064 ----a-w- c:\users\robert j rosso sr\appdata\roaming\wmplayer.exe

2011-09-28 19:39:12 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\IEwe0Dd9hXjV

2011-09-28 19:39:10 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\gGaW9YkO0Sb4mJ

2011-09-28 17:25:11 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\WqVlNcib3467

2011-09-28 17:25:06 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\ZF5dEBrzv3GO

2011-09-28 14:43:16 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\e2onF4pmHsJdKg

2011-09-28 14:43:15 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\LqUVlOBtx0c1v3m

2011-09-28 14:01:22 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\guv2F3pnGaWVzN

2011-09-28 14:01:21 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\e2obF3p5aJdXjCB

2011-09-28 11:10:25 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\UBtzPNA1uDoFpGs

2011-09-28 11:10:25 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\FnF4pm7dE8RhXUe

2011-09-28 11:05:38 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\ptzPNycA1v2b

2011-09-28 11:05:38 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\DJ7dEK8gR9YwUI

2011-09-27 23:46:13 2456064 ----a-w- c:\users\robert j rosso sr\appdata\roaming\java.exe

2011-09-27 23:31:32 2456064 ----a-w- c:\users\robert j rosso sr\appdata\roaming\iexplore.exe

2011-09-27 23:26:12 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\yvD2onF4pHsJdK

2011-09-27 23:26:12 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\CgRZ9hYXwUe

2011-09-27 23:19:44 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\HDDD33pnG4a

2011-09-27 23:19:44 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\CIVVrrzONtxAuc2

2011-09-27 23:19:36 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\ZQQQJ77dEK8RZ9Y

2011-09-27 23:19:36 -------- d-----w- c:\users\robert j rosso sr\appdata\roaming\CzzPPNyccAuvDob


==================== Find3M ====================


2011-09-30 13:29:10 72192 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-07-24 19:43:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys


============= FINISH: 10:59:50.68 ===============

I have the other DDS log file attached, but when I try to run the GMER rootkit scanner, it starts up and then disappears, like MBAM does, so I don't get the opportunity to save the log. I'm doing this all from save mode, Vista Home.

- Sarge

Semper Fi


Link to post
Share on other sites


Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.