Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP redirected


  • This topic is locked This topic is locked
40 replies to this topic

#1 Geneva

Geneva

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 04 June 2009 - 08:19 PM

My IP address is redirected in the evening so that when I try to reboot I must do a wireless repair. I think this attack is malware attacking my computer through wireless connection and has reconfigured my wireless adapter. Enclosed are zip dds files and attach files. please help me fix. Thank you

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 15 June 2009 - 03:59 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 15 June 2009 - 07:44 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

No no one has helped me since I was told to post here 10 days ago. Since my origonal post,
I found 4 instances of Intel Pro wireless in services of MSCONFIG. I disabled the first 3 and now I see in the tray the windown icon connect first then my Kaspersky icon and then the intel icon The Intel icon says red X and "NO supported adapters in this system".
I have enclosed a screen shot of my system ipconfig, msconfig and tray. Apparently, what I have done in services has moved the Windows control ahead of the Intel control so that the misdirected ip can not happen. Therefore, I suspect that the information from my previous post that there is a problem with the intel NetCFGlockholder
6/3/2009 12:00:41 AM Wireless Management Service Create HKEY_LOCAL_MACHINE\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NETWORK\NETCFGLOCKHOLDER
and
6/3/2009 12:00:41 AM Wireless Management Service Create HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder/(Default)
I probably do not need to post another DDS log to resolve this issue. Also enclosed is a screenshot of intel services regestered in my firewall, my current ipconfig (which is correct) the system tray, and the services in msconfig. Please help

Attached Files


Edited by Geneva, 15 June 2009 - 07:31 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 18 June 2009 - 11:58 AM

Hi Geneva,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please enable all the disabled services. We need to detect and remove the infection. Disabling it might just prevent and hide the problem, but it would not solve it. You can instead use another computer and disconnect the infected computer between the fixes and reconnect it when performing the fixes. Or you can disable those services you suspect between the fixes, but make sure nothing is disabled when doing the scans and fixes.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    >Log1.txt (
    ipconfig /all
    nslookup google.com
    ping -n 2 google.com
    route print
    )
    start Log1.txt
    del %0
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: test.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click tast.bat on the desktop.
    • A notepad opens, copy and paste the content it (log1.txt) to your reply.
  • Please copy and post a fresh DDS log to your reply. No need for the Attach.txt.

Edited by farbar, 18 June 2009 - 12:14 PM.


#5 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 18 June 2009 - 01:30 PM

Thank you, enclosed are the files zipped

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/18/2009 02:09:32 PM
mbam-log-2009-06-18 (14-09-18).txt

Scan type: Quick Scan
Objects scanned: 80478
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Windows IP Configuration



Host Name . . . . . . . . . . . . : laptop

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Mixed

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Scott



Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0F-1F-1C-B1-74



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : Scott

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-0E-35-71-31-17

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

NetBIOS over Tcpip. . . . . . . . : Disabled

Lease Obtained. . . . . . . . . . : Thursday, June 18, 2009 01:45:51 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 11:14:07 PM

Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.67.100, 74.125.127.100, 74.125.45.100



Pinging google.com [74.125.45.100] with 32 bytes of data:



Reply from 74.125.45.100: bytes=32 time=74ms TTL=51

Reply from 74.125.45.100: bytes=32 time=91ms TTL=51



Ping statistics for 74.125.45.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 74ms, Maximum = 91ms, Average = 82ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0f 1f 1c b1 74 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 0e 35 71 31 17 ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.4 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.4 192.168.2.4 25
192.168.2.4 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.2.255 255.255.255.255 192.168.2.4 192.168.2.4 25
224.0.0.0 240.0.0.0 192.168.2.4 192.168.2.4 25
255.255.255.255 255.255.255.255 192.168.2.4 192.168.2.4 1
255.255.255.255 255.255.255.255 192.168.2.4 2 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None




============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-29 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S4 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

=============== Created Last 30 ================

2009-06-12 19:49 <DIR> --d----- c:\program files\Yahoo!
2009-06-12 19:49 <DIR> --d----- c:\program files\CCleaner
2009-06-10 16:00 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 16:00 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-04 20:38 <DIR> --d----- c:\program files\Cobian Backup 9
2009-06-04 09:50 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-04 09:49 <DIR> --d----- c:\program files\common files\HP
2009-06-04 09:44 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-06-04 09:43 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-06-04 09:43 49,664 a----r-- c:\windows\system32\drivers\HPZid412.sys
2009-06-04 09:42 77,824 a----r-- c:\windows\system32\HPZIDS01.dll
2009-06-04 09:42 38,400 a------- c:\windows\system32\hpz3l054.dll
2009-06-04 09:42 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-04 09:42 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-06-04 09:33 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-06-04 09:33 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-06-04 09:33 69,632 a------- c:\windows\system32\HPZipm12.exe
2009-06-04 09:33 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-06-04 09:33 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-06-04 09:33 282,680 a------- c:\windows\system32\HPZidr12.dll
2009-06-04 09:31 <DIR> --d----- c:\program files\HP
2009-06-04 09:30 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-06-04 09:30 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-04 09:30 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-06-04 09:30 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-04 09:29 117,364 a------- c:\windows\hpoins11.dat
2009-06-03 21:16 1,928 a------- c:\windows\system32\tmp.reg
2009-06-03 17:00 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-06-03 17:00 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-03 17:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-03 17:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 15:07 <DIR> --d----- c:\program files\Dell
2009-05-29 15:06 <DIR> --d----- c:\windows\system32\Dell
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-18 09:12 1,562,656 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-18 09:12 376,864 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-18 09:12 13,288 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-18 09:12 2,368 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-20 11:10 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 11:10 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-04 08:10 90,112 a------- c:\windows\DUMP3f23.tmp
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-30 09:02 9,523,630 a------- C:\BellSouthIW.reg
2009-03-28 20:33 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-28 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 14:20:54.50 ===============

Attached Files


Edited by farbar, 18 June 2009 - 01:37 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 18 June 2009 - 01:49 PM

I edited your post, opened those attached and zipped files and copied and pasted them to make it easy to read the topic.

My IP address is redirected ...malware attacking my computer through wireless connection


I see nothing wrong with those settings.
Your description is vague. What do you exactly mean by IP redirection, no IP could be redirected. How do you see malware is attacking your wireless connection? What are the symptoms?

Edited by farbar, 18 June 2009 - 01:52 PM.


#7 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 18 June 2009 - 03:35 PM

everything working correctly now. For a while everytime I booted computer, I was directed to 196.254.166.7. Also 196.254.106.48 (see screenshot) enclsed is a screenshot of the netstat -an. In that screenshot please note the picture of the tray as well as the network connection. I found 4 instances of intel prowireless running in services so i unchecked the first 3 and now things seem to be ok. I also blocked that IP address inbound and outbound in my firewall. As you can see it was on port 123 which I understand is epmap (whatever that is). I have also disabled netbios, application layer gateway services and removed CFD which I believe is related to broadcom jump. I have also replaced my router and enabled a 63 char WPA-2 key.
The ip listed above may have been a leftover from a hacker infection as both my computers were hacked, I believe through my neighbors unprotected computer and my unprotected wireless router (at the time).
The hacker established a incomming box on my ethernet connected desktop computer and connected to my laptop with a ID that quickly disappeared listed as "MALVERAPI32".

I saved my documents and settings, then formated this computer, but after reloading windows and the drivers and copying back my documents and settings, I started getting the above ip address on boot which went nowhere and I would have to do a repair.
Since I have unchecked 3 of the intel in services the problem is not happening now. Please see screenshots and tell me what to do. I have also formated my desktop computer and have the router connected to desktop computer by ethernet and the router connected to DSL modem which I have put in bridgemode.

I now see in the Laptop tray the Intel icon X out and putting the curser over the icon shows "no supported wireless adapters available in the system" but I also see the normal Windows wireless icon in the tray and it is active. see screenshot
Thank you.

Attached Files


Edited by Geneva, 18 June 2009 - 03:51 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 18 June 2009 - 04:01 PM

everything working correctly now.


That is what it matters.

#9 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 18 June 2009 - 07:52 PM

How can i delete the first 3 intelpro wireless services from the msconfig? as one or two must contain the iplockholder. I would like to boot the computer in normal mode rather than selective mode.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 18 June 2009 - 08:43 PM

This is a good and clear question. The answer is in my first post, but I guess you didn't read the post fully and didn't perform the steps as it was instructed. You missed the step one totally. It required you to boot in normal mode and get out of selective mode. The MBAM was run without updating. The step 3 and 4 were almost useless because we could take a look at those services and remove them properly if they were bad.

So the answer is doing all the steps again fully and in the order they are written.

Edited by farbar, 19 June 2009 - 03:25 PM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 18 June 2009 - 08:46 PM

Also please copy and paste the logs instead of attaching them.

#12 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 19 June 2009 - 08:56 AM

per your instructions I rebooted the computer in normal mode and reran updated malwarebytes then the ipconfig script followed by the dds. During the update of malwarebytes a Hewlett packard printer driver for photosmart tried to update. This program is flawed framework and starts a JIT and must be stopped by using Task Manager. After stopping, Kaspersky halted the update 4 times but I allowed it each time and finally Malwarebytes said that it was updated sucessfully. I had to close malwarebytes and start it again from the icon on the desktop. I think I have followed your instructions correctly. I do see a change in the tray icons now. The intel prowireless is nolonger x out and the HP icon now appears. I have attached a screenshot of the tray.
Here are the results.
Malwarebytes' Anti-Malware 1.38
Database version: 2307
Windows 5.1.2600 Service Pack 3

6/19/2009 09:32:30 AM
mbam-log-2009-06-19 (09-32-13).txt

Scan type: Quick Scan
Objects scanned: 87192
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Windows IP Configuration



Host Name . . . . . . . . . . . . : laptop

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Mixed

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Scott



Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0F-1F-1C-B1-74



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : Scott

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-0E-35-71-31-17

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

NetBIOS over Tcpip. . . . . . . . : Disabled

Lease Obtained. . . . . . . . . . : Friday, June 19, 2009 09:14:58 AM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 11:14:07 PM

Server: UnKnown
Address: 192.168.2.1



DDS (Ver_09-05-14.01) - NTFSx86
Run by John at 9:38:01.92 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.327 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.att.net/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238284631349
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240164031131
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-29 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]

=============== Created Last 30 ================

2009-06-12 19:49 <DIR> --d----- c:\program files\Yahoo!
2009-06-12 19:49 <DIR> --d----- c:\program files\CCleaner
2009-06-10 16:00 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 16:00 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-04 20:38 <DIR> --d----- c:\program files\Cobian Backup 9
2009-06-04 09:50 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-04 09:49 <DIR> --d----- c:\program files\common files\HP
2009-06-04 09:44 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-06-04 09:43 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-06-04 09:43 49,664 a----r-- c:\windows\system32\drivers\HPZid412.sys
2009-06-04 09:42 77,824 a----r-- c:\windows\system32\HPZIDS01.dll
2009-06-04 09:42 38,400 a------- c:\windows\system32\hpz3l054.dll
2009-06-04 09:42 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-04 09:42 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-06-04 09:33 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-06-04 09:33 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-06-04 09:33 69,632 a------- c:\windows\system32\HPZipm12.exe
2009-06-04 09:33 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-06-04 09:33 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-06-04 09:33 282,680 a------- c:\windows\system32\HPZidr12.dll
2009-06-04 09:31 <DIR> --d----- c:\program files\HP
2009-06-04 09:30 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-06-04 09:30 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-04 09:30 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-06-04 09:30 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-04 09:29 117,364 a------- c:\windows\hpoins11.dat
2009-06-03 21:16 1,928 a------- c:\windows\system32\tmp.reg
2009-06-03 17:00 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-06-03 17:00 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-03 17:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-03 17:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 15:07 <DIR> --d----- c:\program files\Dell
2009-05-29 15:06 <DIR> --d----- c:\windows\system32\Dell
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-19 09:13 1,562,656 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-19 09:13 376,864 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-19 09:13 13,288 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-19 09:13 2,368 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-20 11:10 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 11:10 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-04 08:10 90,112 a------- c:\windows\DUMP3f23.tmp
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-30 09:02 9,523,630 a------- C:\BellSouthIW.reg
2009-03-28 20:33 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-28 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 9:39:06.84 ===============

Attached Files



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 19 June 2009 - 09:31 AM

Well done and thanks for the feedback. :thumbup2:

As you might have noticed those disabled services are not bad. They are part of the Intel Wireless and should be enabled. They don't cause your connection to be redirected.

The router and network adapter settings are still clear and malware free even with those services enabled and there is no reason to worry about them. I believe you have had a DNS-Changer trojan and by resetting the router it is removed.

As I understand your router is now protected by a strong password and is no more is accessible with the default password. If it is not the case tell me about it as it is very important to keep the outsiders and Trojans away from your router.

Please tell me if you still have questions or need assistance.

#14 Geneva

Geneva
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 19 June 2009 - 03:14 PM

Thankyou for your help. should I now remove Malware bytes from control panel so there is no conflict with Kaspersky?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:16 PM

Posted 19 June 2009 - 03:24 PM

You are welcome.

No need to uninstall Malwarebytes and you can keep it. It is not an antivirus and will not conflict with Kaspersky. In fact you need an antyspyware/antimalware beside Kaspersky.

If you don't have any question we can close the topic.

Happy Surfing Geneva.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users