Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 djaqib

djaqib

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 25 October 2010 - 08:38 PM

DDS (Ver_10-10-21.02) - NTFS_AMD64
Run by Djaqib at 18:21:56.32 on Mon 10/25/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4096.2647 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Djaqib\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Djaqib\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Djaqib\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uURLSearchHooks: H - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItIEAddin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Google Update] "C:\Users\Djaqib\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [<NO NAME>]
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Bodog Poker\BPGame.exe
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\SnagIt 8\DLLx64\SnagItBHO64.dll
TB-X64: SnagIt: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 8\DLLx64\SnagItIEAddin64.dll
TB-X64: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
IE-X64: {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Djaqib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.208.10.249 gs.apple.com

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-10-29 55024]
R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2010-10-23 48216]
R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2010-10-23 14720]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/29 03:43:27];C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-4-2 146928]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2010-10-23 2806000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-10-23 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2010-10-23 84752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S4 .1256812233SsTR;1256812233SsTR;C:\ProgramData\Webroot\Djaqib2682300.exe --> C:\ProgramData\Webroot\Djaqib2682300.exe [?]
S4 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2009-9-11 735960]
S4 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]

=============== Created Last 30 ================

2010-10-26 01:18:56 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-10-25 22:02:12 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-10-25 21:52:46 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2010-10-23 11:30:12 112 ----a-w- C:\11150.bat
2010-10-23 09:23:36 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2010-10-23 09:06:33 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
2010-10-23 08:47:48 -------- d-----w- C:\Users\Djaqib\AppData\Roaming\QuickScan
2010-10-23 08:17:41 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-10-23 08:17:41 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-23 08:14:12 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-10-23 08:14:12 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-10-23 08:09:14 -------- d-----w- C:\ComboFix
2010-10-23 08:09:13 8704 ----a-w- C:\Windows\System32\drivers\PROCEXP90.SYS
2010-10-23 08:09:13 301568 ----a-w- C:\Windows\SysWow64\CF4768.exe
2010-10-23 08:08:31 301568 ----a-w- C:\Windows\SysWow64\cmd.execf
2010-10-22 19:03:28 53248 ----a-w- C:\Windows\SysWow64\FastUv32.dll
2010-10-20 09:40:25 -------- d-----w- C:\D2VAVS
2010-10-20 09:11:53 -------- d-----w- C:\Program Files (x86)\Cinema Craft Encoder SP v2.67.00.27
2010-10-20 08:56:30 -------- d-----w- C:\Users\Djaqib\AppData\Local\DVD-RB Pro
2010-10-20 08:55:12 -------- d-----w- C:\Program Files (x86)\DVD-RB PRO
2010-10-20 08:54:17 -------- d-----w- C:\Users\Djaqib\AppData\Local\Custom_Technology
2010-10-20 08:47:43 -------- d-----w- C:\Program Files (x86)\AviSynth 2.5
2010-10-20 01:27:43 -------- d-----w- C:\Program Files (x86)\DVD43 Plug-in
2010-10-20 01:15:07 611840 ----a-w- C:\Windows\SysWow64\DVD43.dll
2010-10-20 01:13:01 -------- d-----w- C:\Program Files (x86)\LG Software Innovations
2010-10-20 01:03:21 -------- d-----w- C:\Program Files (x86)\DVDFab 8
2010-10-17 18:34:12 -------- d-----w- C:\Program Files (x86)\DVD Shrink
2010-10-15 12:43:07 7935824 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{B752A524-D4AB-4651-ACD0-C3AF70B47EB4}\mpengine.dll
2010-10-11 17:55:00 -------- d-----w- C:\Program Files\iTunes
2010-10-11 17:55:00 -------- d-----w- C:\Program Files\iPod
2010-10-11 17:55:00 -------- d-----w- C:\Program Files (x86)\iTunes
2010-10-10 14:23:59 1017 ----a-w- C:\Windows\QSFVExit.bat
2010-10-10 00:19:52 -------- d-----w- C:\Users\Djaqib\AppData\Roaming\VSRevoGroup
2010-10-09 19:32:53 -------- d-----w- C:\Users\Djaqib\AppData\Roaming\MPEG Streamclip
2010-10-06 21:53:24 -------- d-----w- C:\Program Files (x86)\Peretek
2010-10-06 21:37:12 1388544 ----a-w- C:\Windows\SysWow64\temp.000
2010-10-06 21:19:07 -------- d-----w- C:\Program Files (x86)\Rename Master
2010-10-06 20:49:56 -------- d-----w- C:\PROGRA~3\PIXELA
2010-10-06 20:49:12 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2010-10-03 16:34:18 -------- d-----w- C:\Program Files (x86)\GRETECH
2010-10-02 20:08:10 56320 ------w- C:\Windows\SysWow64\iyvu9_32.dll
2010-10-02 20:08:10 136704 ----a-w- C:\Windows\SysWow64\iacenc.dll
2010-10-02 20:08:09 -------- d-----w- C:\Program Files (x86)\Ligos
2010-10-02 20:06:31 306688 ----a-w- C:\Windows\IsUninst.exe
2010-09-30 10:36:11 -------- d-----w- C:\PROGRA~3\eMule

==================== Find3M ====================

2010-10-20 01:03:24 99384 ----a-w- C:\Users\Djaqib\AppData\Roaming\inst.exe
2010-10-20 01:03:24 82816 ----a-w- C:\Users\Djaqib\AppData\Roaming\pcouffin.sys
2010-09-08 18:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-07-29 10:40:22 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2010-07-28 01:55:50 95520 ----a-w- C:\Windows\System32\dnssd.dll
2010-07-28 01:55:50 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2010-07-28 01:44:10 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2010-07-28 01:44:10 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe

============= FINISH: 18:23:04.72 ===============

when i ran GMER only options that i could check were "services, registery, files,ADS," all other options are gray and i cant check or uncheck them.
after done scanning i got a mesasge "GMER hasn't found any system modification"

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:54 PM

Posted 03 November 2010 - 05:19 PM

Hi djaqib, and welcome to Bleeping Computer.

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    dir /s C:\Windows\SysWow64\^%APPDATA^% /c
    dir /s C:\Windows\System32\^%APPDATA^% /c
    dir /a:h /s C:\Windows\SysWow64\^%APPDATA^% /c
    dir /a:h /s C:\Windows\System32\^%APPDATA^% /c

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:54 PM

Posted 17 November 2010 - 12:30 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users