Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects and painfully slow internet speed


  • This topic is locked This topic is locked
24 replies to this topic

#1 Metalfenrir

Metalfenrir

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 08 December 2010 - 05:41 PM

Hello,

(Description take from my other thread...)

For the past 3 weeks I have been in a constant battle with my computer and trying to fix it. I am getting browser misdirects to google-analytics and it is almost impossible to browse any websites other than search engines. I have tested this in multiple browsers with the same results. Also, my download speed in a browser is somewhere in the single digits of Kbps, making the downloading of software incredibly difficult.

Over this period of time, I have run full spans of Kaspersky, Spybot Search and Destroy, MBAM, and Ad Aware. I have also ran Combofix, MBAM and TDSS in safe mode. Several infections have been removed, but it seems to have had no effect.

I have also tried deleting my browser cache's, reinstalling my operation system (Windows 7 Profession 64 bit) by upgrading my existing OS, replacing my existing OS, and again on a new partition. All to no success.

My computer has 2 hard drives and one external. The one hard drive is from my old computer, and I use it as a backup for my old system. The external is essentially storage for movies, music, etc. I have done scans with MBAM on these as well and they are clean.

Lastly, the internet connection method I use is a wired connection that runs through a Cisco Powerline over Ethernet station, which connects to a Linksys router on the floor below. I have not attempted to reset either.

(End description from other thread)

I ran DDS and GMER. Since GMER doesn't support 64 bit systems, I was only given a few options to scan (Files, Services, and Registry) and my drives came up clean.

Here is my DDS log
-----------------------------


DDS (Ver_10-12-05.01) - NTFS_AMD64
Run by Josh at 17:09:41.64 on Wed 12/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4095.3052 [GMT -8:00]


============== Running Processes ===============

G:\Windows\system32\wininit.exe
G:\Windows\system32\lsm.exe
G:\Windows\system32\svchost.exe -k DcomLaunch
G:\Windows\system32\svchost.exe -k RPCSS
G:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
G:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
G:\Windows\system32\svchost.exe -k netsvcs
G:\Windows\servicing\TrustedInstaller.exe
G:\Windows\system32\svchost.exe -k LocalService
G:\Windows\system32\svchost.exe -k NetworkService
G:\Windows\System32\spoolsv.exe
G:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
G:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
G:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
G:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
G:\Windows\system32\taskhost.exe
G:\Windows\system32\Dwm.exe
G:\Windows\Explorer.EXE
G:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
G:\Windows\system32\SearchIndexer.exe
G:\Windows\system32\SearchProtocolHost.exe
G:\Program Files\Windows Media Player\wmpnetwk.exe
G:\Windows\System32\svchost.exe -k LocalServicePeerNet
G:\Windows\system32\wbem\wmiprvse.exe
G:\Windows\system32\WUDFHost.exe
G:\Windows\system32\sppsvc.exe
G:\Windows\System32\svchost.exe -k secsvcs
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Windows\system32\wuauclt.exe
G:\Windows\system32\SearchProtocolHost.exe
G:\Windows\system32\SearchFilterHost.exe
G:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
G:\Windows\system32\DllHost.exe
G:\Windows\system32\DllHost.exe
G:\Users\Josh\Desktop\dds.scr
G:\Windows\system32\conhost.exe
G:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;G:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;G:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;G:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 MotoConnect Service;MotoConnect Service;G:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [2010-6-24 91456]
R3 RTL8167;Realtek 8167 NT Driver;G:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 StorSvc;Storage Service;G:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;G:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-8 1255736]

=============== Created Last 30 ================

2010-12-08 11:26:19 -------- d-----w- G:\Windows\SysWow64\Wat
2010-12-08 11:26:19 -------- d-----w- G:\Windows\System32\Wat
2010-12-08 11:03:27 99176 ----a-w- G:\Windows\SysWow64\PresentationHostProxy.dll
2010-12-08 11:03:27 49472 ----a-w- G:\Windows\SysWow64\netfxperf.dll
2010-12-08 11:03:27 48960 ----a-w- G:\Windows\System32\netfxperf.dll
2010-12-08 11:03:27 444752 ----a-w- G:\Windows\System32\mscoree.dll
2010-12-08 11:03:27 320352 ----a-w- G:\Windows\System32\PresentationHost.exe
2010-12-08 11:03:27 297808 ----a-w- G:\Windows\SysWow64\mscoree.dll
2010-12-08 11:03:27 295264 ----a-w- G:\Windows\SysWow64\PresentationHost.exe
2010-12-08 11:03:27 1942856 ----a-w- G:\Windows\System32\dfshim.dll
2010-12-08 11:03:27 1130824 ----a-w- G:\Windows\SysWow64\dfshim.dll
2010-12-08 11:03:27 109912 ----a-w- G:\Windows\System32\PresentationHostProxy.dll
2010-12-08 08:01:46 -------- d-----w- G:\Program Files (x86)\Motorola
2010-12-08 08:01:40 -------- d-----w- G:\Program Files (x86)\Common Files\MSSoap
2010-12-08 08:01:40 -------- d-----w- G:\Program Files (x86)\Common Files\Motorola Shared
2010-12-08 08:01:24 -------- d-----w- G:\Program Files\Motorola Inc
2010-12-08 08:01:23 -------- d-----w- G:\Program Files\Common Files\Motorola Shared
2010-12-08 08:01:21 -------- d-sh--w- G:\Windows\Installer
2010-12-08 02:53:18 1975296 ----a-w- G:\Windows\System32\CertEnroll.dll
2010-12-08 02:53:17 1320960 ----a-w- G:\Windows\SysWow64\CertEnroll.dll
2010-12-08 02:23:17 1446912 ----a-w- G:\Windows\System32\lsasrv.dll
2010-12-08 02:23:16 96768 ----a-w- G:\Windows\SysWow64\sspicli.dll
2010-12-08 02:23:16 22016 ----a-w- G:\Windows\SysWow64\secur32.dll
2010-12-08 02:23:16 153160 ----a-w- G:\Windows\System32\drivers\ksecpkg.sys
2010-12-08 02:08:59 961024 ----a-w- G:\Windows\System32\CPFilters.dll
2010-12-08 02:08:59 641536 ----a-w- G:\Windows\SysWow64\CPFilters.dll
2010-12-08 02:08:58 613888 ----a-w- G:\Windows\System32\psisdecd.dll
2010-12-08 02:08:58 552960 ----a-w- G:\Windows\System32\msdri.dll
2010-12-08 02:08:58 465408 ----a-w- G:\Windows\SysWow64\psisdecd.dll
2010-12-08 02:08:58 288256 ----a-w- G:\Windows\System32\MSNP.ax
2010-12-08 02:08:58 258560 ----a-w- G:\Windows\System32\mpg2splt.ax
2010-12-08 02:08:58 204288 ----a-w- G:\Windows\SysWow64\MSNP.ax
2010-12-08 02:08:58 199680 ----a-w- G:\Windows\SysWow64\mpg2splt.ax
2010-12-08 01:36:29 -------- d-----w- G:\Users\Josh\AppData\Local\Opera
2010-12-08 01:26:48 1896832 ----a-w- G:\Windows\System32\drivers\tcpip.sys
2010-12-08 01:26:46 5507968 ----a-w- G:\Windows\System32\ntoskrnl.exe
2010-12-08 01:26:46 3955080 ----a-w- G:\Windows\SysWow64\ntkrnlpa.exe
2010-12-08 01:26:46 3899784 ----a-w- G:\Windows\SysWow64\ntoskrnl.exe
2010-12-08 01:25:14 389632 ----a-w- G:\Windows\System32\winlogon.exe
2010-12-08 01:25:14 2870272 ----a-w- G:\Windows\explorer.exe
2010-12-08 01:25:14 2614272 ----a-w- G:\Windows\SysWow64\explorer.exe
2010-12-08 01:23:52 558592 ----a-w- G:\Windows\System32\spoolsv.exe
2010-12-08 01:23:50 982600 ----a-w- G:\Windows\System32\drivers\dxgkrnl.sys
2010-12-08 01:23:50 144384 ----a-w- G:\Windows\System32\cdd.dll
2010-12-08 01:18:08 954752 ----a-w- G:\Windows\SysWow64\mfc40.dll
2010-12-08 01:18:08 954288 ----a-w- G:\Windows\SysWow64\mfc40u.dll
2010-12-08 01:16:20 167424 ----a-w- G:\Program Files\Windows Media Player\wmplayer.exe
2010-12-08 01:16:20 164864 ----a-w- G:\Program Files (x86)\Windows Media Player\wmplayer.exe
2010-12-08 01:16:19 12625920 ----a-w- G:\Windows\System32\wmploc.DLL
2010-12-08 01:16:19 12625408 ----a-w- G:\Windows\SysWow64\wmploc.DLL
2010-12-08 01:15:40 9728 ----a-w- G:\Windows\SysWow64\sscore.dll
2010-12-08 01:15:40 463360 ----a-w- G:\Windows\System32\drivers\srv.sys
2010-12-08 01:15:40 402944 ----a-w- G:\Windows\System32\drivers\srv2.sys
2010-12-08 01:15:40 236032 ----a-w- G:\Windows\System32\srvsvc.dll
2010-12-08 01:15:40 161792 ----a-w- G:\Windows\System32\drivers\srvnet.sys
2010-12-08 01:14:12 84992 ----a-w- G:\Windows\System32\asycfilt.dll
2010-12-08 01:14:11 67584 ----a-w- G:\Windows\SysWow64\asycfilt.dll
2010-12-08 01:12:13 -------- d-----w- G:\Program Files (x86)\Common Files\Blizzard Entertainment
2010-12-07 14:46:03 1736608 ----a-w- G:\Windows\System32\ntdll.dll
2010-12-07 14:46:03 1289528 ----a-w- G:\Windows\SysWow64\ntdll.dll
2010-12-07 14:43:05 243712 ----a-w- G:\Windows\System32\drivers\ks.sys
2010-12-07 14:42:45 976896 ----a-w- G:\Windows\System32\inetcomm.dll
2010-12-07 14:42:45 740864 ----a-w- G:\Windows\SysWow64\inetcomm.dll
2010-12-07 14:42:45 2080256 ----a-w- G:\Program Files\Windows Mail\msoe.dll
2010-12-07 14:42:45 1619968 ----a-w- G:\Program Files (x86)\Windows Mail\msoe.dll
2010-12-07 11:41:48 340992 ----a-w- G:\Windows\System32\schannel.dll
2010-12-07 11:41:47 224256 ----a-w- G:\Windows\SysWow64\schannel.dll
2010-12-07 11:41:36 633856 ----a-w- G:\Windows\System32\comctl32.dll
2010-12-07 11:41:36 530432 ----a-w- G:\Windows\SysWow64\comctl32.dll
2010-12-07 11:41:29 861184 ----a-w- G:\Windows\System32\oleaut32.dll
2010-12-07 11:41:29 571904 ----a-w- G:\Windows\SysWow64\oleaut32.dll
2010-12-07 11:40:20 7680 ----a-w- G:\Windows\SysWow64\instnm.exe
2010-12-07 11:40:20 5120 ----a-w- G:\Windows\SysWow64\wow32.dll
2010-12-07 11:40:20 25600 ----a-w- G:\Windows\SysWow64\setup16.exe
2010-12-07 11:40:20 243200 ----a-w- G:\Windows\System32\wow64.dll
2010-12-07 11:40:20 2048 ----a-w- G:\Windows\SysWow64\user.exe
2010-12-07 11:40:20 14336 ----a-w- G:\Windows\SysWow64\ntvdm64.dll
2010-12-07 11:40:16 52224 ----a-w- G:\Windows\System32\rtutils.dll
2010-12-07 11:40:16 37376 ----a-w- G:\Windows\SysWow64\rtutils.dll
2010-12-07 11:36:06 2048 ----a-w- G:\Windows\SysWow64\tzres.dll
2010-12-07 11:36:06 2048 ----a-w- G:\Windows\System32\tzres.dll
2010-12-07 11:35:57 286720 ----a-w- G:\Windows\System32\drivers\mrxsmb10.sys
2010-12-07 11:35:57 157696 ----a-w- G:\Windows\System32\drivers\mrxsmb.sys
2010-12-07 11:35:57 125952 ----a-w- G:\Windows\System32\drivers\mrxsmb20.sys
2010-12-07 11:35:55 82944 ----a-w- G:\Windows\SysWow64\iccvid.dll
2010-12-07 11:35:55 223448 ----a-w- G:\Windows\System32\drivers\fvevol.sys
2010-12-07 11:29:10 1877504 ----a-w- G:\Windows\System32\msxml3.dll
2010-12-07 11:29:09 1233920 ----a-w- G:\Windows\SysWow64\msxml3.dll
2010-12-07 11:29:03 27008 ----a-w- G:\Windows\System32\drivers\Diskdump.sys
2010-12-07 11:27:10 46592 ----a-w- G:\Windows\System32\msasn1.dll
2010-12-07 11:27:10 34816 ----a-w- G:\Windows\SysWow64\msasn1.dll
2010-12-07 11:27:09 70656 ----a-w- G:\Windows\SysWow64\fontsub.dll
2010-12-07 11:27:09 46080 ----a-w- G:\Windows\System32\atmlib.dll
2010-12-07 11:27:09 366080 ----a-w- G:\Windows\System32\atmfd.dll
2010-12-07 11:27:09 34304 ----a-w- G:\Windows\SysWow64\atmlib.dll
2010-12-07 11:27:09 293888 ----a-w- G:\Windows\SysWow64\atmfd.dll
2010-12-07 11:27:09 100864 ----a-w- G:\Windows\System32\fontsub.dll
2010-12-07 11:17:29 3123712 ----a-w- G:\Windows\System32\win32k.sys
2010-12-07 10:38:03 8199504 ----a-w- G:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{B2F0A5E3-AB5E-4A5F-88DE-0F58F24EE16F}\mpengine.dll
2010-12-07 10:38:02 270720 ------w- G:\Windows\System32\MpSigStub.exe
2010-12-07 10:34:31 0 ----a-w- G:\Windows\ativpsrm.bin
2010-12-07 10:31:34 -------- d-----w- G:\Windows\Panther
2010-12-07 10:18:50 -------- dc----w- G:\Windows.old
2010-12-07 09:02:06 139264 ----a-w- G:\Windows\System32\cabview.dll
2010-12-07 09:02:06 132608 ----a-w- G:\Windows\SysWow64\cabview.dll
2010-12-07 09:02:05 220672 ----a-w- G:\Windows\System32\wintrust.dll
2010-12-07 09:02:05 172032 ----a-w- G:\Windows\SysWow64\wintrust.dll
2010-12-07 09:00:50 -------- d-----w- G:\PROGRA~3\Blizzard Entertainment

==================== Find3M ====================

2010-09-10 05:35:44 135168 ----a-w- G:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- G:\Windows\apppatch\AppPatch64\AcLayers.dll

============= FINISH: 17:10:11.78 ===============

Attach.txt is attached as instructed.

Please Help! And thank you for taking the time to do so :)

Attached Files



BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 16 December 2010 - 05:59 AM

Hi Metalfenrir,

Welcome to BleepingComputer!

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

Combofix is NOT a tool to be executed without an antimalware supervising it. You could have damaged your computer making it unbootable.

But since you've already executed it, please post the latest combofix log.

#3 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 16 December 2010 - 10:26 AM

Hello Judicandus, I look forward to working on you with this issue.

As of now, I have not fixed my original issue or tried to correct it since my initial post. I am currently at work, but I will post my ComboFix log as soon as I get home.

If you could suggest some programs that we will be using in the future it would be very helpful, downloading programs at home takes hours. Being able to get them from work and bringing them over will expedite the process greatly.

Thank you!

Edited by Metalfenrir, 16 December 2010 - 10:28 AM.


#4 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 16 December 2010 - 10:57 AM

Hi Metalfenrir,

Please download malwarebyte's latest DB from: http://data.mbamupdates.com/tools/mbam-rules.exe

Also download the latest combofix file saving it with a different name than combofix (such as abtte.exe)

and

http://www2.gmer.net/mbr/mbr.exe


When get home, copy these files to the desktop, run Combofix and post the new log, and run mbr.exe and post it's log as well.

#5 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 16 December 2010 - 11:08 AM

Thank you, I'll will get back to you with the logs tonight.

#6 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 16 December 2010 - 11:13 AM

Small correction: if the combofix works and generates the log there is no need to run mbr.exe, just use it if combofix for any reason does not work.

#7 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 16 December 2010 - 11:15 AM

Alright, thank you for the information and quick responses!

#8 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 December 2010 - 12:19 AM

I deleted my unnecessary partition in order to not get these logs confused, and I reran DDS to be safe

Here is my ComboFix log

ComboFix 10-12-16.02 - Josh 12/16/2010 19:30:11.2.4 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4095.3458 [GMT -8:00]
Running from: g:\users\Josh\Desktop\abtte.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))
.

2010-12-17 03:33 . 2010-12-17 03:33 -------- d-----w- g:\users\Default\AppData\Local\temp
2010-12-07 06:07 . 2010-12-07 06:07 -------- d-----w- g:\program files\Motorola Inc
2010-12-07 06:07 . 2010-12-07 06:07 -------- d-----w- g:\program files\Common Files\Motorola Shared
2010-12-07 04:17 . 2010-12-07 08:55 -------- d-----w- g:\program files (x86)\Common Files\Blizzard Entertainment
2010-12-07 03:54 . 2010-12-07 03:54 -------- d-----w- g:\windows\SysWow64\Macromed
2010-12-07 02:43 . 2010-12-07 02:43 -------- d-----w- g:\programdata\Malwarebytes
2010-12-07 02:43 . 2010-11-30 01:42 38224 ----a-w- g:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-07 02:43 . 2010-12-17 02:59 -------- d-----w- g:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-07 02:43 . 2010-11-30 01:42 24152 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-12-07 01:46 . 2010-11-16 20:01 8199504 ----a-w- g:\programdata\Microsoft\Windows Defender\Definition Updates\{8C7ED304-7AEB-44E8-974C-1183A9010D8B}\mpengine.dll
2010-12-07 01:46 . 2010-10-19 18:41 270720 ------w- g:\windows\system32\MpSigStub.exe
2010-12-07 01:30 . 2010-12-07 08:55 -------- d-----w- g:\programdata\Blizzard Entertainment
2010-12-06 17:41 . 2010-12-06 17:41 -------- d-----w- g:\program files (x86)\Opera
2010-12-06 17:41 . 2010-12-07 06:07 -------- d-sh--w- g:\windows\Installer
2010-12-06 17:20 . 2010-12-06 17:22 -------- d--h--w- g:\windows\AxInstSV
2010-12-06 17:01 . 2009-12-29 08:03 220672 ----a-w- g:\windows\system32\wintrust.dll
2010-12-06 17:01 . 2009-12-29 06:55 172032 ----a-w- g:\windows\SysWow64\wintrust.dll
2010-12-06 17:01 . 2010-01-09 07:19 139264 ----a-w- g:\windows\system32\cabview.dll
2010-12-06 17:01 . 2010-01-09 06:52 132608 ----a-w- g:\windows\SysWow64\cabview.dll
2010-12-06 16:57 . 2010-12-06 16:58 -------- d-----w- g:\users\Josh
2010-12-06 09:42 . 2010-12-06 09:42 0 ----a-w- g:\windows\ativpsrm.bin
2010-12-06 09:39 . 2010-12-06 16:57 -------- d-----w- g:\windows\Panther
2010-12-06 09:31 . 2010-12-07 08:54 -------- d-----w- G:\Windows.old.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 02:14 . 2010-09-30 02:14 30208 ----a-w- g:\windows\system32\drivers\motmodem.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-07_06.17.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-06 13:55 . 2010-12-07 08:37 81986 g:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 05:10 . 2010-12-17 02:59 21150 g:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:30 . 2010-12-17 02:58 86016 g:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2010-12-07 06:07 86016 g:\windows\system32\DriverStore\infpub.dat
+ 2010-12-07 01:29 . 2010-12-17 03:17 16384 g:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-07 01:29 . 2010-12-07 04:06 16384 g:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-07 01:29 . 2010-12-07 04:06 32768 g:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 01:29 . 2010-12-17 03:17 32768 g:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 01:29 . 2010-12-17 03:17 16384 g:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 01:29 . 2010-12-07 04:06 16384 g:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-07 01:29 . 2010-12-17 03:17 16384 g:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-07 01:29 . 2010-12-07 04:06 16384 g:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-07 01:29 . 2010-12-17 03:17 16384 g:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 01:29 . 2010-12-07 04:06 16384 g:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-07 02:00 . 2010-12-07 06:44 4324 g:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-12-07 01:30 . 2010-12-17 02:59 2426 g:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2745876505-1264429835-2499802203-1001_UserData.bin
- 2010-12-07 06:09 . 2010-12-07 06:09 2048 g:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-12-17 03:18 . 2010-12-17 03:18 2048 g:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-12-17 03:18 . 2010-12-17 03:18 2048 g:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-12-07 06:09 . 2010-12-07 06:09 2048 g:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2010-12-07 06:15 615122 g:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2010-12-17 03:23 615122 g:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2010-12-07 06:15 103496 g:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2010-12-17 03:23 103496 g:\windows\system32\perfc009.dat
- 2009-07-14 05:30 . 2010-12-07 06:07 143360 g:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2010-12-17 02:58 143360 g:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 00:21 . 2009-07-14 01:41 299520 g:\windows\system32\drivers\UMDF\WpdFs.dll
- 2009-07-14 02:34 . 2010-12-07 05:38 9437184 g:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2010-12-07 08:47 9437184 g:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

S1 vwififlt;Virtual WiFi Filter Driver;g:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S3 RTL8167;Realtek 8167 NT Driver;g:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;g:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

.

--------- x86-64 -----------

.
------- Supplementary Scan -------
.
uLocal Page = g:\windows\system32\blank.htm
mLocal Page = g:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-16 19:35:06
ComboFix-quarantined-files.txt 2010-12-17 03:35
ComboFix2.txt 2010-12-07 06:18

Pre-Run: 219,493,224,448 bytes free
Post-Run: 219,432,599,552 bytes free

- - End Of File - - 28408C664964C7D175B9C4DDDCB3FC56


And my clean MBAM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5339

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/16/2010 5:49:46 PM
mbam-log-2010-12-16 (17-49-46).txt

Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 415091
Time elapsed: 56 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again

Attached Files



#9 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 17 December 2010 - 06:00 AM

Hi Metalfenrir,

You said you had already run TDSSKiller, did it find anything?

Also, please try resetting your router.

There is one file that indicates that your computer is or was infected:
g:\windows\ativpsrm.bin

it is a zero byte file so you can delete it if you want (let me know if you can't delete it).

#10 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 December 2010 - 09:56 AM

I have previously run TDSSKiller with no hits, but I will run it again.

I also try to delete that file.

As far as the router goes, I have a question. I use one of these to give my computer a wired connection, is it still possible for a virus to get through this into my router, or would the powerline adapter be what is infected? I will try reseting both if possible, just curious.

I will not be home again until Saturday afternoon, so I not be able to try these steps until then.

Thanks again!

#11 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 17 December 2010 - 10:31 AM

Your router could get infected anyway since the powerline adapter is not a router and therefore it's basically connecting your computer directly to your router through the itself.

Could you also please give me some examples of redirect you're getting? (like to which addresses it is being redirected to?)

When you said:

I have also tried deleting my browser cache's, reinstalling my operation system (Windows 7 Profession 64 bit) by upgrading my existing OS, replacing my existing OS, and again on a new partition. All to no success.

do you mean that you reinstalled the OS in a new partition and that the clean OS installation also had the redirect going on?
If that's so it's definitely your router that is infected. :)

#12 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 December 2010 - 10:47 AM

90% of my redirects go to www.google-analyics.pp.php. A few go to www.epo.com I think. I do my best to close out the window before the redirect goes through, because they have those annoying prompt screens that only let you close the tab if you hit Yes, which I don't want to do.

And yes, I made a new partition on my computer and installed a clean version of XP 64 which was updated to Windows 7. That was the partition I deleted the other night, because it had the exact same issues as my old install.

I will try the router reset as soon as I get home Saturday!

#13 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 17 December 2010 - 11:20 AM

Will wait for the results of the router reset then.

#14 Metalfenrir

Metalfenrir
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 18 December 2010 - 03:43 PM

I just reset my router and to the best of my knowledge, my internet speed is back to normal. I can stream stuff now and I just downloaded the exe for MBAM at 880kbps (yay)

However... the redirects are still happening, what do we do now?

Thanks for your continued help!

#15 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:01:31 AM

Posted 18 December 2010 - 03:48 PM

Hi metal,

I know you've already done this, but I'd like to take a look again:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users