Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Antivirus Pro & Google/yahoo redirects


  • This topic is locked This topic is locked
3 replies to this topic

#1 darkmagician1190

darkmagician1190

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 25 August 2009 - 03:05 PM

I let my friend borrow my computer for the past month and when I got it back no programs would open, I got a command window titled desot.exe and it closed.

I was able to get malwarebytes to finally open by right clicking and running as user, and renaming the program. now every day I have to force quit windows antivirus pro (fake I know) and then close svchast.exe and run malewarebytes again, PLUS after running malwarebytes and it comes up clean, the search engines are still doing the redirect.



DDS (Ver_09-07-30.01) - NTFSx86
Run by administrator at 14:23:43.68 on 2009-08-25
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.250 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synergy\synergyc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.speedbit.com/
uSearch Page =
uSearch Bar =
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: SrchHook Class: {f4f10c1d-87c7-404a-b4b3-000000000000} - c:\progra~1\dap\SBSearch.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [eligmini] c:\program files\fisher-price\easy-link internet launch pad\Easy-Link internet launch pad.exe 0
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [FPCCSMiddleware] c:\program files\fisher-price\computer cool school\FPCCSMiddleware.exe
mRun: [EasyTuneIV] c:\program files\gigabyte\easytune4\et4.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.com/download/SOPCORE.CAB
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\yigiwopa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\natali~1\applic~1\mozilla\firefox\profiles\cfpl0kav.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\cfpl0kav.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\cfpl0kav.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft silverlight\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{0161FD83-7B18-46BF-B351-B3F819827131}

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2008-12-4 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2008-12-4 5504]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-2-7 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-2-7 122368]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
R3 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2009-8-11 185280]
RUnknown llcoxkl;llcoxkl; [x]
S0 ati6wbxx;ati6wbxx;c:\windows\system32\drivers\ati6wbxx.sys --> c:\windows\system32\drivers\ati6wbxx.sys [?]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\eacmos.sys --> c:\windows\system32\drivers\EACMOS.SYS [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 hgvwo;hgvwo;\??\c:\windows\system32\drivers\jabmoeark.sys --> c:\windows\system32\drivers\jabmoeark.sys [?]
S2 tyls;tyls;c:\windows\system32\drivers\ozelnyh.sys --> c:\windows\system32\drivers\ozelnyh.sys [?]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xhybrid.sys --> c:\windows\system32\drivers\3xHybrid.sys [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\natali~1\locals~1\temp\gel90xne.sys --> c:\docume~1\natali~1\locals~1\temp\gel90xne.sys [?]
S3 iAimFP8;iAimFP8;c:\windows\system32\drivers\wADV11NT.sys [2006-1-25 11935]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-1-26 221184]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-1-26 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-20 114464]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [2006-3-6 28704]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
SUnknown EvdoServer;EvdoServer; [x]

=============== Created Last 30 ================

2009-08-23 17:23 104,253 a------- c:\windows\system32\t1p0_771886837981.b1k
2009-08-22 12:27 <DIR> a-d----- c:\windows\system32\images
2009-08-20 19:23 <DIR> --d----- C:\spoolerlogs
2009-08-20 19:21 <DIR> --d----- c:\docume~1\natali~1\applic~1\IDM
2009-08-20 19:21 <DIR> --d----- c:\docume~1\natali~1\applic~1\DMCache
2009-08-20 19:21 <DIR> --d----- c:\program files\Internet Download Manager
2009-08-18 21:09 <DIR> --d----- c:\program files\Bus Driver
2009-08-18 20:49 <DIR> --d----- c:\program files\Bus Simulator
2009-08-18 09:36 <DIR> --d----- c:\docume~1\natali~1\applic~1\Crayon Physics Deluxe
2009-08-18 09:34 <DIR> --d----- c:\program files\Crayon Physics Deluxe
2009-08-11 20:03 185,280 a------- c:\windows\system32\drivers\ETDrv.sys
2009-08-11 19:58 <DIR> --d----- c:\program files\Gigabyte
2009-08-11 19:43 <DIR> --d----- c:\program files\CrystalDiskInfo
2009-08-10 17:30 <DIR> --d----- c:\windows\Performance
2009-08-10 17:27 <DIR> --d----- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-08-02 17:28 <DIR> --d----- c:\program files\SecondLife

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 22:07 50,688 a------- c:\windows\system32\wbhelp2.dll
2008-11-07 00:52 47,360 a------- c:\docume~1\natali~1\applic~1\pcouffin.sys
2006-03-20 15:37 5,689,344 a------- c:\program files\mplayerc.exe
2009-01-05 12:13 99,013 a--sh--- c:\windows\system32\baborefe.dll
2009-01-22 16:47 133,448 a--sh--- c:\windows\system32\epvdzq.dll
2009-01-30 23:27 135,338 a--sh--- c:\windows\system32\fetepaze.dll
0000-00-00 00:00 70,181 a--sh--- c:\windows\system32\fonebipi.dll
0000-00-00 00:00 63,085 a--sh--- c:\windows\system32\gaduvoma.dll
2009-01-27 14:01 2,098 ---sh--- c:\windows\system32\heruhozu.dll
2009-01-27 02:01 142,107 a--sh--- c:\windows\system32\hhmrdo.dll
2009-02-02 17:01 134,363 a--sh--- c:\windows\system32\hneaar.dll
2009-01-29 13:01 135,452 a--sh--- c:\windows\system32\ihwqst.dll
2009-01-21 21:01 134,428 a--sh--- c:\windows\system32\irfbwj.dll
2009-01-26 02:01 133,271 a--sh--- c:\windows\system32\kmpshg.dll
0000-00-00 00:00 68,203 a--sh--- c:\windows\system32\kuwakepe.dll
0000-00-00 00:00 70,181 a--sh--- c:\windows\system32\lamuhegi.dll
2009-01-31 11:51 99,926 a--sh--- c:\windows\system32\lapomefe.dll
2009-02-02 17:01 134,363 a--sh--- c:\windows\system32\legufizi.dll
2009-01-27 02:01 107,726 a--sh--- c:\windows\system32\lutovute.dll
2009-01-29 13:01 100,536 a--sh--- c:\windows\system32\mazizojo.dll
2008-12-23 15:19 62,231 a--sh--- c:\windows\system32\mirikiri.dll
2009-01-31 23:49 135,493 a--sh--- c:\windows\system32\mozobasu.dll
2009-01-21 21:01 134,428 a--sh--- c:\windows\system32\nipavuyo.dll
2009-01-23 09:36 134,383 a--sh--- c:\windows\system32\nlbevo.dll
2009-01-31 23:49 100,595 a--sh--- c:\windows\system32\pihejuji.dll
2009-01-04 15:02 97,911 a--sh--- c:\windows\system32\pofokago.dll
2009-01-29 13:01 135,452 a--sh--- c:\windows\system32\pufetafe.dll
2009-01-30 23:27 135,338 a--sh--- c:\windows\system32\qgfzaa.dll
2009-01-27 02:01 142,107 a--sh--- c:\windows\system32\rawihani.dll
2009-01-01 21:32 98,100 a--sh--- c:\windows\system32\sahomosa.dll
2009-01-23 09:36 85,599 a--sh--- c:\windows\system32\sajuyaya.dll
2008-12-29 22:25 96,900 a--sh--- c:\windows\system32\sozinaku.dll
2009-01-23 09:36 99,580 a--sh--- c:\windows\system32\virodufe.dll
2009-01-22 16:47 133,448 a--sh--- c:\windows\system32\wegagolu.dll
2009-02-05 20:02 109,923 a--sh--- c:\windows\system32\wegaveme.dll
2008-12-27 11:31 62,117 a--sh--- c:\windows\system32\wekenopo.dll
2009-01-31 23:49 135,493 a--sh--- c:\windows\system32\xwxmxe.dll
2008-12-31 16:09 552 a--sh--- c:\windows\system32\zoripuzo.exe

============= FINISH: 14:27:29.67 ===============

BC AdBot (Login to Remove)

 


#2 darkmagician1190

darkmagician1190
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 29 August 2009 - 02:40 AM

it has since escalated. I can now no longer start the computer. in regular mode I can only do 2 commands, windowskey+L (switch users) and windowskey+U (utility manager). alt+ctrl+del or shift+ctrl+esc both yield "task manager has been disabled by the administrator" who there isn't any other users on the computer but myself. rebooting into safemode yields the same results.

I slaved the HD to another computer and was able to run malewarebytes full scan and came up with 22 infections which were promptly removed. attempted to boot from hard disk again adn it is doing the same thing.

#3 darkmagician1190

darkmagician1190
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 29 August 2009 - 02:47 PM

please lock/delete, I have received help from elsewhere, thank you.

#4 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 29 August 2009 - 04:41 PM

Thank you for letting us know darkmagician1190.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users