Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aleroen.h


  • This topic is locked This topic is locked
16 replies to this topic

#1 kyleyarbrough

kyleyarbrough

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 16 July 2010 - 10:54 AM

I've run many scans with many software products (superantispyware, MSSE, Trend-micro online, AVG) and of course none can fix this including microsoft securty essentials. I may need to go make a boot disk with recovery console, as I don't have the disks for this computer, and from what I read the only way to fix this is with a system restore. I was hoping there was some way I could do this without a system restore like from a command line or something from the drivers that are on this computer. Hopeful anyway. I've done all the logs, and I was able to get the computer to function semi-decently, I just keep getting browser jacked, which makes me very nervous about doing anything important (like banking) with this computer until it's fixed. I've actually got a local lan and all of my computers on the network (4 vista and one windows 7) are showing symptoms. Here's the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Training at 8:06:14.22 on Fri 07/16/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_19
Microsoft® Windows Vista™ Enterprise 6.0.6000.0.1252.1.1033.18.3061.2047 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Virtual Server\vmh.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Virtual Server\vssrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Training\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: Training-PC
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\training\appdata\roaming\mozilla\firefox\profiles\tzljotny.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm128WIUS&fl=0&ptb=_vVIFkBM6GpmTLqSNH6WCQ&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77c052d3&searchfor=
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\training\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Virtual Server;Virtual Server;c:\program files\microsoft virtual server\vssrvc.exe [2007-5-24 3373432]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 vhdbus;Microsoft Virtual Server Storage Bus;c:\windows\system32\drivers\vhdbus.sys [2007-5-5 25480]
R3 vmh;Virtual Machine Helper;c:\program files\microsoft virtual server\vmh.exe [2007-5-24 166808]
S4 gupdate1ca28d52d339220;Google Update Service (gupdate1ca28d52d339220);c:\program files\google\update\GoogleUpdate.exe [2009-8-29 133104]

=============== Created Last 30 ================

2010-07-16 14:54:18 352562270 ----a-w- c:\windows\MEMORY.DMP
2010-07-16 14:03:32 0 ----a-w- c:\users\training\defogger_reenable
2010-07-16 13:19:23 0 d-----w- c:\users\training\appdata\roaming\SUPERAntiSpyware.com
2010-07-16 13:19:23 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-16 13:19:13 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-16 04:02:36 0 d-----w- c:\program files\Coupons
2010-07-13 22:08:29 0 d-sh--w- C:\$RECYCLE.BIN
2010-07-13 19:24:29 98816 ----a-w- c:\windows\sed.exe
2010-07-13 19:24:29 77312 ----a-w- c:\windows\MBR.exe
2010-07-13 19:24:29 256512 ----a-w- c:\windows\PEV.exe
2010-07-13 19:24:29 161792 ----a-w- c:\windows\SWREG.exe
2010-07-08 20:50:33 691 ----a-w- c:\users\training\appdata\roaming\GetValue.vbs
2010-07-08 20:50:33 35 ----a-w- c:\users\training\appdata\roaming\SetValue.bat
2010-07-08 13:40:56 30784 ----a-w- c:\windows\system32\drivers\tejuepoj.sys
2010-07-08 02:14:07 66048 ----a-w- c:\windows\system32\drivers\SMB.SYS
2010-07-06 22:44:54 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-07-02 08:51:40 612 ----a-w- c:\windows\cdplayer.ini
2010-07-02 08:50:52 0 d-----w- c:\program files\common files\xing shared
2010-07-02 08:50:25 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-02 08:50:20 0 d-----w- c:\programdata\Real
2010-07-02 08:50:20 0 d-----w- c:\program files\common files\Real
2010-06-29 07:55:41 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2010-06-29 07:43:38 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-06-29 07:43:38 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-06-29 07:43:37 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2010-06-29 07:43:36 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-06-29 07:43:36 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-29 07:43:36 11264 ----a-w- c:\windows\system32\icardres.dll
2010-06-29 07:43:34 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-06-29 07:43:31 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-29 07:42:08 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-06-29 07:42:08 34799616 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-06-29 07:42:08 196608 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-06-29 07:34:47 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-06-29 07:34:42 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-06-29 07:34:40 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-29 07:34:28 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-06-29 07:34:23 83968 ----a-w- c:\windows\system32\mscories.dll
2010-06-29 07:32:17 14848 ----a-w- c:\windows\system32\iisreset.exe
2010-06-29 07:32:16 8192 ----a-w- c:\windows\system32\iisrstap.dll
2010-06-29 07:32:16 148480 ----a-w- c:\windows\system32\iisRtl.dll
2010-06-29 07:32:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-06-29 07:32:12 51200 ----a-w- c:\windows\system32\admwprox.dll
2010-06-29 07:32:11 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-06-29 07:32:11 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-06-29 07:32:10 10752 ----a-w- c:\windows\system32\wamregps.dll
2010-06-29 07:31:48 0 d-----w- c:\program files\MSXML 4.0
2010-06-29 05:57:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-28 10:28:02 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-28 10:28:02 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-28 10:28:02 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-06-28 10:27:53 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-28 10:27:53 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-28 10:27:29 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-06-28 10:26:45 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-06-28 10:26:45 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-06-28 10:26:38 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-28 10:26:38 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-06-28 10:26:38 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2010-06-28 10:26:38 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-06-28 10:26:38 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-06-28 10:26:37 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-06-28 10:26:37 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-06-28 10:22:21 97792 ----a-w- c:\windows\system32\cabview.dll
2010-06-28 10:22:17 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-06-28 10:21:39 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-06-28 10:21:39 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-06-28 10:21:39 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-06-28 10:21:39 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-06-28 10:21:39 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-06-28 10:21:39 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-06-28 10:21:39 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-06-28 10:21:38 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-06-28 10:21:38 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-06-28 10:21:38 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-06-28 10:08:39 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-06-28 06:11:59 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2010-06-28 06:02:33 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-06-28 06:02:07 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-06-28 06:01:52 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-06-28 06:01:52 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-06-28 05:35:27 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-06-28 05:35:27 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-06-28 05:35:27 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-06-28 05:35:27 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-06-28 05:35:27 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-06-28 05:35:27 1657350 ----a-w- c:\windows\system32\wlan.tmf
2010-06-28 05:35:27 12876 ----a-w- c:\windows\system32\wbem\wlan.mof
2010-06-28 05:35:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-06-28 05:33:42 103936 ----a-w- c:\windows\system32\netiohlp.dll
2010-06-28 05:33:41 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-06-28 05:33:41 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-06-28 05:33:41 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-06-28 05:33:41 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-06-28 05:33:40 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-06-28 05:33:40 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-06-28 05:33:40 15360 ----a-w- c:\windows\system32\netevent.dll
2010-06-28 05:33:40 10240 ----a-w- c:\windows\system32\finger.exe
2010-06-28 05:32:40 194560 ----a-w- c:\windows\system32\WebClnt.dll
2010-06-28 05:32:40 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2010-06-28 05:22:57 297472 ----a-w- c:\windows\system32\gdi32.dll
2010-06-28 05:22:49 374456 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2010-06-28 05:22:47 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2010-06-28 05:22:46 30208 ----a-w- c:\windows\system32\xolehlp.dll
2010-06-28 05:21:36 156160 ----a-w- c:\windows\system32\wkssvc.dll
2010-06-28 05:21:26 36352 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-28 05:21:26 1871872 ----a-w- c:\windows\system32\mstscax.dll
2010-06-28 05:21:26 116736 ----a-w- c:\windows\system32\aaclient.dll
2010-06-28 05:19:27 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2010-06-28 05:19:10 414208 ----a-w- c:\windows\system32\msscp.dll
2010-06-28 05:19:08 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2010-06-28 05:19:07 86016 ----a-w- c:\windows\system32\icfupgd.dll
2010-06-28 05:19:07 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2010-06-28 05:19:07 61952 ----a-w- c:\windows\system32\cmifw.dll
2010-06-28 05:19:07 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2010-06-28 05:19:07 16896 ----a-w- c:\windows\system32\wfapigp.dll
2010-06-28 05:09:32 0 d-----w- c:\windows\system32\appmgmt
2010-06-28 05:04:23 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-28 05:02:46 696832 ----a-w- c:\windows\system32\localspl.dll
2010-06-28 05:02:38 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2010-06-28 05:02:34 2923520 ----a-w- c:\windows\explorer.exe
2010-06-28 05:01:55 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-06-28 05:01:54 272384 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 05:01:38 24064 ----a-w- c:\windows\system32\netcfg.exe
2010-06-28 04:59:53 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-06-28 04:59:47 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-06-28 04:59:47 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2010-06-28 04:59:38 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-06-28 04:59:35 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-06-28 04:59:34 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2010-06-28 04:59:34 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-06-28 04:59:34 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-06-28 04:59:33 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-06-28 04:59:33 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-06-28 04:59:24 11776 ----a-w- c:\windows\system32\sbunattend.exe
2010-06-28 04:58:49 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2010-06-28 04:58:49 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2010-06-28 04:58:33 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-06-28 04:58:32 94720 ----a-w- c:\windows\system32\logagent.exe
2010-06-28 04:57:13 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-06-28 04:57:13 737792 ----a-w- c:\windows\system32\inetcomm.dll
2010-06-28 04:57:04 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-06-28 04:56:45 5120 ----a-w- c:\windows\system32\wmi.dll
2010-06-28 04:56:45 152576 ----a-w- c:\windows\system32\imagehlp.dll
2010-06-28 04:56:45 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2010-06-28 04:55:42 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2010-06-28 04:54:30 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-28 04:52:48 274432 ----a-w- c:\windows\system32\raschap.dll
2010-06-28 04:52:48 232960 ----a-w- c:\windows\system32\rastls.dll
2010-06-28 04:52:37 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-06-28 00:57:24 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-28 00:14:18 0 d---a-w- c:\programdata\TEMP
2010-06-27 22:44:14 0 d-----w- c:\program files\Microsoft Games
2010-06-26 05:06:08 172032 ----a-w- c:\windows\system32\igfxres.dll

==================== Find3M ====================

2010-06-29 17:42:40 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-29 17:42:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-29 17:42:22 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-06-29 17:42:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-29 15:10:07 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-01-31 18:08:34 32768 --sha-r- c:\windows\system32\mdsete.dll

============= FINISH: 8:07:07.64 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 16 July 2010 - 01:34 PM

It's actually called Alureon.H here's the microsoft report

Microsoft Security Essentials encountered the following error: Error code 0x80070032. The request is not supported.

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
rootkit:Alureon->TermDD


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 16 July 2010 - 05:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 16 July 2010 - 06:32 PM

So here's the log, I had a bit of trouble with the combofix, had to reboot like 3 times, but I figure that may be normal. I got a registry key not there the second time it rebooted, and the first time it told me there was root activity and it wanted to reboot itself.

Still hijacked, redirects after I click on a link in search results from yahoo or google. I can type a link directly in -- that's how I got here, but I can't search and click for anything. Really annoying!

Thanks for your help!

Attached Files



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 16 July 2010 - 07:05 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\drivers\tejuepoj.sys

Driver::
zsatuwqj


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 17 July 2010 - 01:42 AM

Ok, so I ran it, but when I got home from class tonight, my computer was completely shot with Antiviruspro -- which was the first reason last week I knew there was a problem. After I ran the scan with combofix my girlfriend went on the internet without the virus protection on (I disabled it for the scan) so that was a bad thing!

I had to fight my way through that one, deleting registry keys, running the malicious software tool in safemode and just basically hacking away at that thing to even be able to open ANY program. So I have a feeling that there may be some of that left over, even though I ran combofix again.

I put in that script you requested, and added it in here just to make sure I did it right. I'm still hijacked, although my computer is back to where it was at least...probably a festering hot keylogging mess -- hopefully you see something on here I need to do. Since we're sorta back to square on on this, I'm going to run the other dds and gmer and post those, then run combofix again and post it there. So that we're at least back to where we started from...(then turn the antivirus back on this time). What a pain, I'm so hoping you can help me, I have my fingers seriously crossed...never had a virus this bad before.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 17 July 2010 - 01:45 AM

Run these it is easier and faster - DON'T RUN COMBO YET!!! let me have the logs first


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.RKUnHooker
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 17 July 2010 - 09:14 AM

I'm sorry, I already ran everything last night (including combofix) and would have posted it, but it took like 4 hours to get it all done because of the virus infection with the AVS. What a nightmare that is, but at least I can funtion again. I'm attaching the logs, I'll go over the steps you indicated in your last post and let you see what those are as well. I was hopeful that doing all of the previous steps might work, but it's still redirecting.

If it helps it seems like when I click on a search result from google or yahoo is when it happens. If I click on a 'main page' yahoo link it works unless it's a search result. I see the browser go to something like results.yahoo.com then it says 'redirecting' then I get to some sort of advertisement site -- some filled with malicious content like the avs site, which somehow that alureon exploits and it takes completely over the computer until I go into safe mode and blow it away. That exploit doesn't let ANY programs run, it says they are all infected and there's no way to shut it off. Completely terrible!

Attached Files



#9 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 17 July 2010 - 09:23 AM

I already posted the new dds reports, but here's the unhooker report.

Attached Files



#10 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 17 July 2010 - 10:30 AM

On a side note, I think what's going on here is something with my dns server on my router or the dns server assigned by qwest or something along those lines. I went into the tcp/ip stack and reconfigured my dns to opendns servers 208.67.222.222 and 208.67.220.220 and that seems to have fixed the redirect.

I believe that's where I was getting all of those viruses, redirecting me to weird sites. Now if I still have some sort of virus on this thing, please help me out based on those logs, but the behavior was identical in my 5 laptops on my home network -- and some aren't configured for sharing or anything like that, just stand alone computers, but I figured the virus could have iniltrated the LAN somehow. I just switched the dns on 2 and it seems to have fixed the problem. I just wonder if I was cleaning the virus (at times security essentials was not finding anything and the only problem was the redirect) then when it would redirect me to a site, it would then upload the virus through some sort of exploit?

I really don't have any other ideas than to reset my router, it's just a little bit tricky since I have 5 computers to work with, but maybe there's some sort of router virus -- never heard of it before. It's an old D-link DI-614+ router. There's a firmware patch I'm going to plug in too.

Any other ideas based on the logs?

Thanks again for all of your help, this has been a really frustrating problem for me -- I'm usually pretty good at fixing this sort of thing.

Kyle

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 17 July 2010 - 02:17 PM

Hello


since I have 5 computers to work with
do all 5 computers do the same redirects? If not then it is not the router.


Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
put script here


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 17 July 2010 - 03:47 PM

Gringo,

Yes all computers were having the redirect problems, but only two had the AVS (anti virus suite) that was really a knock-down. I reset the router, now the redirects aren't happening. There were some strange entries in the dns field that I thought were coming from the DHCP on the modem, but when I reset everything diferent dns came through off of the new DHCP renew. So somehow there were these two weird dns entries in the router. I changed the password on the router to something besides "blank" so hopefully that's better, everything is working much better now, but I'm still worried as that AVS was a real humdinger and somehow gets into the registry without any action on the user (my) end. I've patched windows, run new scans etc, but still can just shut down msse and then take over without much trouble.

About the script you sent me in the post, I'm sorry if it's obtuse, but the script is 'put script here?' I think maybe you didn't paste it right or something? I not, I'll just follow the directions and go with it, it just looked strange. It wasn't anything like the first script you gave me.

Thanks again for all of the help!

Kyle

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 17 July 2010 - 04:04 PM

Yea sometimes I go thru all the work and forget to add the important parts

but I'm still worried as that AVS was a real humdinger and somehow gets into the registry without any action on the user (my) end. I've patched windows, run new scans etc, but still can just shut down msse and then take over without much trouble.we are cleaning up all the leftovers no so I would not worry, Good call on resetting the router



:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\drivers\tejuepoj.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 kyleyarbrough

kyleyarbrough
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 18 July 2010 - 02:57 PM

Ok, so here's the log. No problems to report.

Attached Files



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:08 PM

Posted 18 July 2010 - 03:27 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9.1
    SUPERAntiSpyware <--may reinstall when we are finished
    WeatherBug


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users