Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with???


  • This topic is locked This topic is locked
2 replies to this topic

#1 carlfab

carlfab

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 20 February 2010 - 09:35 PM

Am not able to download microsoft updates. I get the message: Internet explorer cannot display the page. I diagnose the connection via the button provided and the results are: Windows did not detect any problems with your internet connection. if your browser cannot display the page try the following: -Refresh page: search for the page again by clicking the refresh button. a timeoue could have occurred due to internet congestion.-check spelling: check that the page address is spelled correctly. the address may have been mistyped. -access from the link: if there is a link to the page you are looking for, try accessing the page from that link..... Then i view the diagnostic log and the message is this: Last diagnostic run time: 02/20/10 18:20:56 HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
info HTTP: Successfully connected to www.microsoft.com.
info FTP (Passive): Successfully connected to ftp.microsoft.com.
info HTTPS: Successfully connected to www.microsoft.com. Other websites view fine with no error messages. I should also add that my homepage is yahoo.com and when i did a yahoo search it would redirect me to some random site. i noticed that there was an m. in the address making it m.www.yahoo.com. i removed the m. from the address and saved the site as my only home page and the redirecting stopped. idk how that happened or how it got on there but it seems to be fixed.

Here is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Carl at 16:53:50.68 on Sat 02/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.209 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchAssistant =
mSearchAssistant =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Bart Station] "c:\program files\peoplepc\isp6500\bin\PPCOLink.exe" -STATION
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - {93F764AC-24D1-484F-92EA-3C84E31CDF72}
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186341167765
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
TCP: NameServer = 85.255.113.115 85.255.112.12
TCP: {1F41CF6D-C487-455A-9483-65AC9E04B05E} = 85.255.113.115,85.255.112.12
TCP: {536A6FA0-E099-4BDB-ACB8-A89F8F21DDE3} = 85.255.113.115,85.255.112.12
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-8 207792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 tdird.sys;tdird.sys; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-24 133104]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe --> c:\program files\mcafee.com\agent\mcdetect.exe [?]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe --> c:\progra~1\mcafee.com\agent\mctskshd.exe [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-8 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-8 1141712]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\drivers\spcp825k.sys --> c:\windows\system32\drivers\SPCP825K.sys [?]

=============== Created Last 30 ================

2010-02-21 00:17:27 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes
2010-02-21 00:17:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 00:17:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 00:17:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 00:17:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-20 04:23:47 4128 ----a-w- C:\INFCACHE.1
2010-02-15 02:08:09 0 d-----w- C:\hijack this
2010-02-12 17:24:34 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-12 17:24:06 0 d-----w- C:\652fef5ab1196af75dd5400da0bd
2010-02-12 17:23:35 0 d-----w- c:\program files\AVSMedia
2010-02-12 17:23:35 0 d-----w- c:\program files\Activision
2010-02-12 17:23:35 0 d-----w- c:\program files\1 Nutty Santa Screen Saver 2.8
2010-02-12 03:07:52 19569 ------w- c:\windows\003229_.tmp
2010-02-11 03:50:16 0 d-----w- c:\docume~1\carl\applic~1\RCP 5
2010-02-11 03:50:15 0 d-----w- c:\program files\ReaConverter 5.5 Pro
2010-02-09 04:23:20 135168 ------w- c:\windows\system32\igfxres.dll
2010-02-09 03:46:59 57856 -c----w- c:\windows\system32\dllcache\EXCH_scripto.dll
2010-02-09 03:45:59 5632 -c----w- c:\windows\system32\dllcache\kbdinguj.dll
2010-02-09 03:44:59 66082 -c----w- c:\windows\system32\dllcache\c_870.nls
2010-02-09 03:42:35 488 ---h--r- c:\windows\system32\logonui.exe.manifest
2010-02-09 03:42:26 749 ---h--r- c:\windows\WindowsShell.Manifest
2010-02-09 03:42:26 749 ---h--r- c:\windows\system32\wuaucpl.cpl.manifest
2010-02-09 03:42:26 749 ---h--r- c:\windows\system32\sapi.cpl.manifest
2010-02-09 03:42:26 749 ---h--r- c:\windows\system32\ncpa.cpl.manifest
2010-02-09 03:25:59 10096640 -c----w- c:\windows\system32\dllcache\hwxcht.dll
2010-02-09 03:05:54 7680 -c----w- c:\windows\system32\dllcache\migregdb.exe
2010-02-09 02:58:03 0 d-----w- c:\program files\Support Tools
2010-02-09 02:55:41 0 d-----w- c:\docume~1\carl\applic~1\ICAClient
2010-02-09 02:55:29 0 d-----w- c:\program files\Citrix
2010-02-09 02:54:27 0 d-----w- c:\documents and settings\carl\WINDOWS
2010-02-08 20:37:11 7387 ------w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-08 20:37:11 233136 ------w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-08 20:37:02 87784 ------w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-08 20:37:02 7412 ------w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-08 20:37:02 7383 ------w- c:\windows\system32\drivers\pctcore.cat
2010-02-08 20:37:02 207792 ------w- c:\windows\system32\drivers\PCTCore.sys
2010-02-08 20:36:53 7383 ------w- c:\windows\system32\drivers\pctplsg.cat
2010-02-08 20:36:53 70408 ------w- c:\windows\system32\drivers\pctplsg.sys
2010-02-08 20:36:21 0 d-----w- c:\program files\Spyware Doctor
2010-02-08 20:36:21 0 d-----w- c:\program files\common files\PC Tools
2010-02-08 20:36:21 0 d-----w- c:\docume~1\carl\applic~1\PC Tools
2010-02-08 20:36:21 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-05 17:05:53 0 d-----w- c:\windows\system32\vmm32
2010-02-05 04:58:16 1374 ------w- c:\windows\imsins.BAK
2010-02-05 04:57:36 13753 ------r- c:\windows\SET98.tmp
2010-02-05 04:57:33 1086058 ------r- c:\windows\SET8C.tmp
2010-02-05 04:57:31 1042903 ------r- c:\windows\SET89.tmp
2010-02-05 04:57:00 327140 ------w- c:\windows\setupapi.old
2010-02-02 03:46:06 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-02-02 03:46:03 13312 ----a-w- c:\windows\system32\hpsjmcro.dll
2010-02-02 02:54:10 14848 ------w- c:\windows\system32\drivers\sskbfd.sys
2010-01-27 01:38:50 73728 ------w- c:\windows\system32\javacpl.cpl
2010-01-24 19:48:12 3403776 ------w- c:\documents and settings\carl\s-1-5-21-1573691398-61444913-151289414-1009.rrr

==================== Find3M ====================

2010-02-09 03:07:13 23812 -c----w- c:\windows\system32\emptyregdb.dat
2010-01-27 01:38:10 411368 ------w- c:\windows\system32\deploytk.dll
2009-12-27 14:34:36 16616 ------w- c:\windows\system32\28950not9a-vizus7895.bin
2009-12-23 18:40:50 9876 -c----w- c:\windows\369v5rus9z9.bin
2009-12-22 10:43:18 3435 ------w- c:\windows\system32\45cdoznl9ader2275.bin
2009-12-10 02:44:35 4943 -c----w- c:\windows\956ddownloader2916z.bin
2008-03-06 02:35:33 774144 -c----w- c:\program files\RngInterstitial.dll
2006-05-23 19:27:02 570 -c----w- c:\program files\INSTALL.LOG
2006-07-14 14:29:03 88 --sh--r- c:\windows\system32\C0438BAACE.sys
2006-06-24 20:55:22 104 -csh--r- c:\windows\system32\CEAA8B43C0.sys
2009-05-28 01:24:11 6686 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:54:36.71 ===============

Here is what got me, since i cant send the photo because it is too big, i will just type it out.

Windows Internet Security
Your browser is under the threat of infection. Windows requires your permission to install online protection tool.

Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.

then below that message it says:
Name: Online Protection Tool
Publisher: Microsoft Windows

then it has the "always trust this website" box to check with an Allow and Don't allow button at the bottom.

it then locked the browser open and started loading files onto my computer, i shut down the computer by unplugging it, then rebooted to safe mode and removed some installed files.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 21 February 2010 - 10:11 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:36 PM

Posted 22 February 2010 - 09:38 AM

Hi carlfab,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your computer is infected with a DNS hijacker Trojan.
  1. Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
    • Important: Reboot.

  2. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Please tell me if you needed to change the settings.

  3. Open a notepad (Start > Run and type in Notepad )

    Copy and paste the text in code box into it.

    CODE
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1F41CF6D-C487-455A-9483-65AC9E04B05E}]
    "NameServer"=""

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{536A6FA0-E099-4BDB-ACB8-A89F8F21DDE3}]
    "NameServer"=""

    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm. It should look like
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.

    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:36 PM

Posted 01 March 2010 - 03:11 PM

This thread will now be closed due to lack of activity.

If you should have the some or a new issue, please start a new topic with fresh logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users