Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect - DDS file attached


  • This topic is locked This topic is locked
2 replies to this topic

#1 HatTrickMick

HatTrickMick

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 02 May 2009 - 05:40 PM

About a week ago I rather stupidly attempted to download a file from a site that I had not visitied before. This apparently left my computer rather badly infected, as evidenced by the bogus Spyware Protect 2009 messages that almost immediately popped up. After surfing I recognized the need to download an run some important applications.

In the past week I've downloaded and run Malewarebyte's Anti-malware, SUPERantispyware, Spybot Search & Destroy, and Ad-aware Anniversary Edition. After repeated scanning and removal of suspect files I seemed to be rid of most of the symptoms of the infection. The remaining symptoms were that clicking on Google search results would take me to random web sites, and I would occasionally encounter a blue screen on reboot (which I was doing quite frequently given my malware scanning). I noticed that each time I ran Malewarebyte's product it would find a trojan - identifed as lmppcsetup.exe. This was not being removed despite an indication to the contrary.

After another search online I downloaded and ran combofix... this did delete the file in question, along with some other files. This seems to have remedied the last remaining symptoms of the infection. Now I'm left wondering whether it's really safe for me to go back to using my computer for all of the important tasks I usually use it for - banking, shopping, etc. - or whether it may still be compromised in some way (just without any noticeable symptoms).

Please, please can you help in determining whether my PC is clean? Thanks in advance for any help you can offer.

DDS.txt file contents:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 14:56:23.20 on Sat 05/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1108 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\xampp\apache\bin\apache.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-28 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-28 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-12-9 24636]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-28 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-28 144704]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2007-8-9 15840]
R2 portD;ABS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2008-11-30 7372]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2007-9-25 867328]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-28 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-28 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-28 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-28 40488]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-28 33832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-05-02 13:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-02 11:28 <DIR> a-dshr-- C:\cmdcons
2009-05-02 11:28 161,792 a------- c:\windows\SWREG.exe
2009-05-02 11:28 98,816 a------- c:\windows\sed.exe
2009-05-02 08:31 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-05-02 02:43 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-05-02 02:40 <DIR> --d----- c:\windows\ie8updates
2009-05-02 02:39 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-02 02:39 <DIR> -cd-h--- c:\windows\ie8
2009-05-02 02:32 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-02 02:32 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-02 02:32 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-02 02:32 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-02 02:32 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-02 02:32 <DIR> --d----- C:\23708c8176d45c8a0c46b37d
2009-05-02 02:32 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-02 02:32 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-02 02:32 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-02 02:09 <DIR> --d----- C:\b9e8e846cd6a12e9d5b9
2009-04-28 21:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-28 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-28 21:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-28 20:44 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-28 20:41 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-28 20:41 <DIR> --d----- c:\program files\Lavasoft
2009-04-27 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-27 19:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-27 19:03 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-04-27 17:59 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-04-27 17:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 17:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 17:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-25 20:01 <DIR> --d----- c:\program files\Walmart MP3 Music Downloads
2009-04-25 07:19 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 07:19 1,409 a------- c:\windows\QTFont.for
2009-04-23 20:15 4,444,391,424 a------- C:\BABYS_FIRST_MOVES.iso
2009-04-23 17:51 4,670,218,240 a------- C:\HAPPIEST_BABY_ON_THE_BLOCK.iso
2009-04-16 13:26 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:26 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 13:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-05 19:13 2,566,727,680 a------- C:\HERE_COME_THE_123.iso
2009-04-05 18:47 2,909,597,696 a------- C:\HANDY_MANNY_TOOLING_AROUND.iso
2009-04-05 18:33 3,184,916,480 a------- C:\HERE_COME_THE_ABC.iso
2009-04-05 12:18 3,670,071,296 a------- C:\LITTLE_EINSTEINS_CELEBRATION.iso

==================== Find3M ====================

2009-04-04 15:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-04-04 15:25 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-01-22 11:14 32 -------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 14:57:00.71 ===============

BC AdBot (Login to Remove)

 


#2 HatTrickMick

HatTrickMick
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 10 May 2009 - 03:03 PM

Please disregard my request for help.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:48 AM

Posted 10 May 2009 - 03:19 PM

OK.

Thanks for telling us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users