Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Browser Hijacker/Pop-up to Google Analytics


  • This topic is locked This topic is locked
11 replies to this topic

#1 MadMaverick

MadMaverick

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 22 June 2010 - 09:34 PM

I recently started getting Pop-up ads when I clicked on links using IE. The pop-ups would be generally to search.google-analytics.com but sometimes something similar. I ran Malware Bytes, Housecall, Super Anti-spyware, Hijackthis, Combofix, TDDSKiller, but to no avail. I also follow another forum post that seemed to be the same as my issues, yet I did not get a solution. I also pasted in the scr.bat from the other forum post found here. In addition, I believe it has something to do with one of the svchost.exe running in the Task Manager, it seems to run a few Window Services connected to the Windows Media Player (A non-used program), specifically a service called: Windows Media Player Network Sharing Service.

DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by Madoc at 22:14:19.93 on Tue 06/22/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2048.1325 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Steam\steam.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Madoc\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000w7.sys [2010-4-29 841504]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2009-5-25 734208]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-15 1343400]

=============== Created Last 30 ================

2010-06-21 13:24:36 0 d-----w- c:\users\madoc\appdata\roaming\SUPERAntiSpyware.com
2010-06-21 13:24:36 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-21 13:24:32 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 13:22:38 0 d-----w- c:\program files\CCleaner
2010-06-21 13:09:53 4868 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-20 00:00:01 0 d-----w- c:\programdata\NVIDIA
2010-06-19 23:59:32 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-11 18:46:29 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 18:46:28 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 18:46:24 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 18:46:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 18:46:16 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-06 17:50:31 0 d-----w- c:\users\madoc\appdata\roaming\Beat Hazard
2010-06-01 17:43:12 0 d-----w- c:\program files\ArmyBuilder
2010-05-26 15:50:03 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-20 02:03:55 811520 ----a-w- c:\windows\system32\user32.dll
2010-04-20 02:03:55 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-04-20 02:03:55 13824 ----a-w- c:\windows\system32\slwga.dll
2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 21:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 21:19:50 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 08:19:01 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:14:50.85 ===============


scr.bat Log


Windows IP Configuration

Host Name . . . . . . . . . . . . : Madoc-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.

Wireless LAN adapter Wireless Network Connection 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #3
Physical Address. . . . . . . . . : 00-25-9C-F8-43-BF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 6:

Connection-specific DNS Suffix . : hsd1.nj.comcast.net.
Description . . . . . . . . . . . : Linksys AE1000 #2
Physical Address. . . . . . . . . : 00-25-9C-F8-43-BE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a84a:d2fa:4c2b:a7c2%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, June 22, 2010 2:03:02 PM
Lease Expires . . . . . . . . . . : Wednesday, June 23, 2010 2:03:07 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 369108380
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-AE-53-4B-00-1A-4D-43-15-D5
DNS Servers . . . . . . . . . . . : 192.168.1.1
213.109.64.53
213.109.73.74
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.hsd1.nj.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.nj.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:73ba:34dc:121d:bbac:f23(Preferred)
Link-local IPv6 Address . . . . . : fe80::34dc:121d:bbac:f23%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 72.14.204.147
72.14.204.99
72.14.204.104
72.14.204.103


Pinging google.com [72.14.204.103] with 32 bytes of data:
Reply from 72.14.204.103: bytes=32 time=28ms TTL=52
Reply from 72.14.204.103: bytes=32 time=25ms TTL=52

Ping statistics for 72.14.204.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 25ms, Maximum = 28ms, Average = 26ms
===========================================================================
Interface List
19...00 25 9c f8 43 bf ......Microsoft Virtual WiFi Miniport Adapter #3
18...00 25 9c f8 43 be ......Linksys AE1000 #2
1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.104 281
192.168.1.104 255.255.255.255 On-link 192.168.1.104 281
192.168.1.255 255.255.255.255 On-link 192.168.1.104 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.104 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.104 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 58 ::/0 On-link
1 306 ::1/128 On-link
11 58 2001::/32 On-link
11 306 2001:0:5ef5:73ba:34dc:121d:bbac:f23/128
On-link
18 281 fe80::/64 On-link
11 306 fe80::/64 On-link
11 306 fe80::34dc:121d:bbac:f23/128
On-link
18 281 fe80::a84a:d2fa:4c2b:a7c2/128
On-link
1 306 ff00::/8 On-link
11 306 ff00::/8 On-link
18 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Attached Files


Edited by MadMaverick, 23 June 2010 - 02:39 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 28 June 2010 - 06:02 AM

Hi MadMaverick,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 MadMaverick

MadMaverick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 June 2010 - 01:36 PM

Hello farbar,
I do still need assistance. The issue still remains after numerous scans and such. I will refrain from making anymore modifications to the system now so it will help with the process. Thank You for your time.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 29 June 2010 - 02:25 PM

Yes it is the router hijacking trojan DNS-changer.
  1. Please read this: Malware Silently Alters Wireless Router Settings

  2. Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  3. Then reset your router to it's factory default settings:

    QUOTE
    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  4. This is the difficult part.
    First get to the routers server. To do that open Internet Explorer and type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

    After this to make sure the DNS setting on the computer is not altered proceed with the following:

  5. Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP) under General tab:
    • Check Obtain an IP address automatically and Obtain DNS server address automatically.
    • Click OK twice to save the settings.
    • Reboot.

  6. Run scr.bat once more and attach the log please.


#5 MadMaverick

MadMaverick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 June 2010 - 03:10 PM

Did all that was asked. Router was reset and I ran the scr.bat again.

SCR Log

Windows IP Configuration

Host Name . . . . . . . . . . . . : Madoc-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.

Wireless LAN adapter Wireless Network Connection 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #3
Physical Address. . . . . . . . . : 00-25-9C-F8-43-BF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 6:

Connection-specific DNS Suffix . : hsd1.nj.comcast.net.
Description . . . . . . . . . . . : Linksys AE1000 #2
Physical Address. . . . . . . . . : 00-25-9C-F8-43-BE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a84a:d2fa:4c2b:a7c2%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, June 29, 2010 4:02:37 PM
Lease Expires . . . . . . . . . . : Wednesday, June 30, 2010 4:02:40 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 369108380
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-AE-53-4B-00-1A-4D-43-15-D5
DNS Servers . . . . . . . . . . . : 192.168.1.1
68.87.64.150
68.87.75.198
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.hsd1.nj.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.nj.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2cbe:2a7:bbac:f23(Preferred)
Link-local IPv6 Address . . . . . : fe80::2cbe:2a7:bbac:f23%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 72.14.204.103
72.14.204.99
72.14.204.104
72.14.204.147


Pinging google.com [72.14.204.99] with 32 bytes of data:
Reply from 72.14.204.99: bytes=32 time=22ms TTL=52
Reply from 72.14.204.99: bytes=32 time=23ms TTL=52

Ping statistics for 72.14.204.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 23ms, Average = 22ms
===========================================================================
Interface List
19...00 25 9c f8 43 bf ......Microsoft Virtual WiFi Miniport Adapter #3
18...00 25 9c f8 43 be ......Linksys AE1000 #2
1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 281
192.168.1.100 255.255.255.255 On-link 192.168.1.100 281
192.168.1.255 255.255.255.255 On-link 192.168.1.100 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 58 ::/0 On-link
1 306 ::1/128 On-link
11 58 2001::/32 On-link
11 306 2001:0:4137:9e76:2cbe:2a7:bbac:f23/128
On-link
18 281 fe80::/64 On-link
11 306 fe80::/64 On-link
11 306 fe80::2cbe:2a7:bbac:f23/128
On-link
18 281 fe80::a84a:d2fa:4c2b:a7c2/128
On-link
1 306 ff00::/8 On-link
11 306 ff00::/8 On-link
18 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 29 June 2010 - 03:29 PM

Well done. thumbup2.gif
  1. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt




#7 MadMaverick

MadMaverick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 June 2010 - 03:46 PM

Seems all good so far. I was wondering if you would be so kind as to tell me which log initially led you to determining that my router was hacked. Meaning how were you able to determine the DNS servers were changed? Was it in the SCR.Bat under DNS Servers? Thank you for your help sir.


MBAM Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/29/2010 4:41:24 PM
mbam-log-2010-06-29 (16-41-24).txt

Scan type: Quick scan
Objects scanned: 126757
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by Madoc at 16:43:09.68 on Tue 06/29/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2048.1404 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Madoc\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000w7.sys [2010-4-29 841504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-7 38224]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2009-5-25 734208]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-15 1343400]

=============== Created Last 30 ================

2010-06-27 02:21:59 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-27 02:14:17 98816 ----a-w- c:\windows\sed.exe
2010-06-27 02:14:17 77312 ----a-w- c:\windows\MBR.exe
2010-06-27 02:14:17 256512 ----a-w- c:\windows\PEV.exe
2010-06-27 02:14:17 161792 ----a-w- c:\windows\SWREG.exe
2010-06-26 18:03:09 1184 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-06-26 18:03:09 1184 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-06-25 16:22:44 5456 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-23 07:52:10 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 07:52:10 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 07:52:10 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 07:52:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 07:52:10 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 07:31:30 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-23 07:31:28 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-23 07:31:27 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-23 07:31:27 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-06-23 07:31:27 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-06-23 02:41:55 0 d-----w- c:\program files\ESET
2010-06-21 13:24:36 0 d-----w- c:\users\madoc\appdata\roaming\SUPERAntiSpyware.com
2010-06-21 13:24:36 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-21 13:24:32 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 13:22:38 0 d-----w- c:\program files\CCleaner
2010-06-20 00:00:01 0 d-----w- c:\programdata\NVIDIA
2010-06-19 23:59:32 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-11 18:46:29 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 18:46:28 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 18:46:24 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 18:46:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 18:46:16 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-06 17:50:31 0 d-----w- c:\users\madoc\appdata\roaming\Beat Hazard
2010-06-01 17:43:12 0 d-----w- c:\program files\ArmyBuilder

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-27 18:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-20 02:03:55 811520 ----a-w- c:\windows\system32\user32.dll
2010-04-20 02:03:55 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-04-20 02:03:55 13824 ----a-w- c:\windows\system32\slwga.dll
2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 21:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 21:19:50 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 08:19:01 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:43:36.63 ===============


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 29 June 2010 - 04:00 PM

DNS hijacker:

QUOTE
213.109.64.53 to 213.109.73.74 <<== Server in Russia


You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#9 MadMaverick

MadMaverick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 June 2010 - 04:17 PM

Avira AntiVir Personal
Report file date: Tuesday, June 29, 2010 17:16

Scanning for 2280411 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : Madoc
Computer name : MADOC-PC

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:14:54
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:15:01
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 21:15:01
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 21:15:01
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 21:15:01
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 21:15:01
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 21:15:01
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 21:15:02
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 21:15:03
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 21:15:04
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 21:15:05
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 21:15:06
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 21:15:08
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 21:15:10
VBASE019.VDF : 7.10.8.195 2048 Bytes 6/27/2010 21:15:10
VBASE020.VDF : 7.10.8.196 2048 Bytes 6/27/2010 21:15:10
VBASE021.VDF : 7.10.8.197 2048 Bytes 6/27/2010 21:15:10
VBASE022.VDF : 7.10.8.198 2048 Bytes 6/27/2010 21:15:10
VBASE023.VDF : 7.10.8.199 2048 Bytes 6/27/2010 21:15:10
VBASE024.VDF : 7.10.8.200 2048 Bytes 6/27/2010 21:15:10
VBASE025.VDF : 7.10.8.201 2048 Bytes 6/27/2010 21:15:10
VBASE026.VDF : 7.10.8.202 2048 Bytes 6/27/2010 21:15:10
VBASE027.VDF : 7.10.8.203 2048 Bytes 6/27/2010 21:15:11
VBASE028.VDF : 7.10.8.204 2048 Bytes 6/27/2010 21:15:11
VBASE029.VDF : 7.10.8.205 2048 Bytes 6/27/2010 21:15:11
VBASE030.VDF : 7.10.8.206 2048 Bytes 6/27/2010 21:15:11
VBASE031.VDF : 7.10.8.218 134144 Bytes 6/29/2010 21:15:12
Engineversion : 8.2.4.2
AEVDF.DLL : 8.1.2.0 106868 Bytes 6/29/2010 21:15:28
AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/29/2010 21:15:27
AESCN.DLL : 8.1.6.1 127347 Bytes 6/29/2010 21:15:25
AESBX.DLL : 8.1.3.1 254324 Bytes 6/29/2010 21:15:28
AERDL.DLL : 8.1.4.6 541043 Bytes 6/29/2010 21:15:24
AEPACK.DLL : 8.2.2.5 430453 Bytes 6/29/2010 21:15:23
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/29/2010 21:15:22
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/29/2010 21:15:21
AEHELP.DLL : 8.1.11.6 242038 Bytes 6/29/2010 21:15:17
AEGEN.DLL : 8.1.3.12 377204 Bytes 6/29/2010 21:15:17
AEEMU.DLL : 8.1.2.0 393588 Bytes 6/29/2010 21:15:15
AECORE.DLL : 8.1.15.3 192886 Bytes 6/29/2010 21:15:15
AEBB.DLL : 8.1.1.0 53618 Bytes 6/29/2010 21:15:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, June 29, 2010 17:16

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'conhost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ZuneLauncher.exe' - '1' Module(s) have been scanned
Scan process 'taskhost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '435' files ).



End of the scan: Tuesday, June 29, 2010 17:16
Used time: 00:16 Minute(s)

The scan has been done completely.

0 Scanned directories
911 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
911 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 29 June 2010 - 04:40 PM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix. If you don't have ComboFix on your desktop download a fresh one from one of these locations to your desktop:

    Link 1
    Link 2
    Link 3

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing MadMaverick. smile.gif

#11 MadMaverick

MadMaverick
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 June 2010 - 04:58 PM

Thank You very much for your help farbar.

You have helped clear up a very irritating issue for me.

Have a great week.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:58 AM

Posted 29 June 2010 - 05:11 PM

You are most welcome MadMaverick. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users