Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus - links redirected, disable system restore


  • This topic is locked This topic is locked
2 replies to this topic

#1 jig1781

jig1781

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 17 January 2010 - 04:16 AM

I think my computer has been infected with a virus. First, it started off with internet links being misdirected to ad sites and now currently, mozilla firefox will stop working properly after a minute or so. When you pull it up, it has the "work offline" option selected and it cannot be turned off. Also, the virus has disabled the factory default system restore. I would greatly appreciate any help. Just being able to get the factory default would be fine with me.

DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 4:39:33.07 on Sun 01/17/2010
Internet Explorer: 7.0.6000.16945 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1526.808 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Users\John\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.us.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [????r]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableLUA = 0 (0x0)
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\btfiodue.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
S1 L6T50;L6T50;c:\windows\system32\drivers\L6T50.sys [2010-1-17 72192]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2010-01-17 09:01:53 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 09:01:30 0 d-s---w- C:\Combo-Fix.exe
2010-01-17 05:42:42 72192 ----a-w- c:\windows\system32\drivers\L6T50.sys
2010-01-17 05:23:01 0 d-----w- c:\users\john\appdata\roaming\Malwarebytes
2010-01-17 05:22:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 05:22:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 05:22:55 0 d-----w- c:\programdata\Malwarebytes
2010-01-17 05:22:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 05:00:42 0 d-sh--w- C:\$RECYCLE.BIN
2010-01-17 04:27:54 198048080 ----a-w- c:\windows\MEMORY.DMP
2010-01-17 04:22:56 98816 ----a-w- c:\windows\sed.exe
2010-01-17 04:22:56 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 04:22:56 161792 ----a-w- c:\windows\SWREG.exe
2010-01-16 21:00:47 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 21:00:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-16 21:00:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-16 21:00:47 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-16 21:00:47 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 21:00:47 10240 ----a-w- c:\windows\system32\dciman32.dll

==================== Find3M ====================

2010-01-16 21:48:36 19048 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-11 08:00:25 86016 ----a-w- c:\windows\inf\infpub.dat
2009-12-11 08:00:24 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-22 08:01:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-11-22 08:00:51 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-03 13:01:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-03 12:57:03 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:59:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 15:05:11 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 15:01:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-27 15:01:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 14:59:14 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-27 12:27:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:56:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-07-12 07:58:02 174 --sha-w- c:\program files\desktop.ini
2009-07-12 07:51:04 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 4:42:01.20 ===============

Tried to run ROOTREPEAL but it would not work. it said it could not initialize the driver

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 17 January 2010 - 12:04 PM.


BC AdBot (Login to Remove)

 


#2 jig1781

jig1781
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 19 January 2010 - 08:45 PM

Problem has been resolved. Thanks though.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 22 January 2010 - 08:59 AM

Since the problem seems to be resolved, this topic will be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users