Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected router infection, with underlying issues.


  • This topic is locked This topic is locked
3 replies to this topic

#1 ThatGirl

ThatGirl

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 17 December 2010 - 01:03 AM

To start from the beginning, this is a super old Dell desktop (maybe not super. More like 4 - 5 years old at the most). Its been through its own fair share of viruses and what have you and re-installations. This past thanksgiving break I was feeling very iffy about the computer *still* running windows XP SP3, an instillation that too had been through a virus. I insisted that my mother not use it for anything other then games (but she doesn't listen to me T__T) so I decided to do a reinstall. And then I realized that I don't have the installation stuff for windows XP. Well, I'm a CS major and my school gave us MSDN keys for a hand full of windows products to I put windows 7 on the computer the saturday of thanksgiving, installed Microsoft security essentials, firefox and then left.

I come back today the beginning of my winter break and found what seemed to be the startings of a router infection (yay redirecting my google searches!). So I ran Malwarebytes and MSE, but to no avail, nothing was caught. So I downloaded GMER and DDS and ran them like prescribed after installing adblock plus and updating firefox. While DDS was running I noticed that MSE said it hadn't been allowed to do a scan in a week and from there things got worse. I have the DDS and the ATTACH files. But the first time I ran the GMER it froze (the whole computer I mean) and I restarted. Then the second time I ran it I got a BSOD with the message "PAGE_FAULT_IN_NON_PAGE_AREA" and so I'm posting this now before attempting another go at GMER.

This computer really needs to be put down, but its pretty much the only one here.

Also I am not against a complete reinstall, there isn't really anything on here and I want to partition it and mess around with some linux (or is that too much for this rusty old box?)

EDIT: I ran GMER just as I posted this and as I write this there is a "gmer.exe has stopped working" message. It's stopped at "\Device\HarddiskVolumeShadowCopy3" (which I can see in the bottom left on the screen. So, yea. Help would be appreciated. Thanks for taking the time to read this.

EDIT2: I realize I didn't post the DDS in here. Whups.


DDS (Ver_10-12-12.02) - NTFSx86
Run by CAROL at 0:47:16.80 on Fri 12/17/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1022.429 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchFilterHost.exe
C:\Users\CAROL\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

================= FIREFOX ===================

FF - ProfilePath - c:\users\carol\appdata\roaming\mozilla\firefox\profiles\96qwm9lr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackvoices.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-9 1343400]

=============== Created Last 30 ================

2010-12-17 05:23:56 -------- d-----w- c:\users\carol\appdata\roaming\Malwarebytes
2010-12-17 05:23:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-17 05:23:44 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-17 05:23:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-17 05:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-17 04:07:18 -------- d-----w- c:\users\carol\appdata\local\GameHouse
2010-12-17 03:25:21 -------- d-----w- c:\users\carol\appdata\roaming\enchant
2010-12-17 03:24:17 -------- d-----w- c:\users\carol\appdata\roaming\.purple
2010-12-17 03:10:10 -------- d-----w- c:\progra~2\Trymedia
2010-12-17 03:08:21 -------- d-----w- c:\program files\Bejeweled 3
2010-12-17 02:53:44 -------- d-----w- c:\program files\uTorrent
2010-12-17 02:52:33 -------- d-----w- c:\users\carol\appdata\roaming\uTorrent
2010-12-17 02:51:09 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{50ac2de4-b6f2-4273-bd27-e46ea818b263}\mpengine.dll
2010-12-15 03:42:01 978944 ----a-w- c:\windows\system32\wininet.dll
2010-12-15 03:42:01 860160 ----a-w- c:\program files\internet explorer\iedvtool.dll
2010-12-15 03:42:00 673040 ----a-w- c:\program files\internet explorer\iexplore.exe
2010-12-12 05:10:23 -------- d-----w- c:\users\carol\appdata\local\Microsoft Games
2010-12-09 19:34:27 -------- d-----w- c:\windows\system32\Wat
2010-12-09 19:33:56 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-12-02 02:42:15 -------- d-----w- c:\users\carol\appdata\local\Mozilla
2010-11-28 16:22:40 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-11-28 16:20:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-11-28 16:20:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-11-28 16:20:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-11-28 16:20:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-11-28 16:20:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-11-28 16:11:38 -------- d-----w- c:\progra~2\NVIDIA Corporation
2010-11-28 16:11:25 -------- d-----w- c:\program files\NVIDIA Corporation
2010-11-28 16:07:58 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-11-28 16:06:09 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-11-28 16:06:09 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-11-28 16:06:04 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-11-28 16:06:02 41984 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-11-28 16:06:02 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2010-11-28 16:06:00 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-28 16:05:54 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-11-28 16:05:54 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-11-28 16:05:53 507568 ----a-w- c:\windows\system32\winload.exe
2010-11-28 16:05:52 442920 ----a-w- c:\windows\system32\winresume.exe
2010-11-28 16:03:59 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-11-28 16:01:29 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-11-28 15:54:02 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-11-28 15:54:01 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-11-28 15:54:01 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-11-28 15:54:01 369152 ----a-w- c:\windows\system32\secproc.dll
2010-11-28 15:54:01 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-11-28 15:54:01 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-11-28 15:54:00 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-11-28 15:54:00 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-11-28 15:53:59 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-28 15:53:58 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2010-11-28 15:53:56 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-11-28 15:53:56 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-11-28 15:53:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-11-28 15:51:24 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-11-28 15:51:13 132608 ----a-w- c:\windows\system32\cabview.dll
2010-11-28 15:51:12 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-11-28 15:47:22 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-28 15:47:18 -------- d-sh--w- c:\windows\Installer
2010-11-28 15:46:42 -------- d-----w- c:\program files\Microsoft Games
2010-11-28 09:26:16 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2ec2b384-a111-4a6d-a65d-4355bd57b45f}\mpengine.dll
2010-11-28 09:26:15 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-28 09:04:58 -------- d-----w- c:\windows\Panther
2010-11-28 08:53:59 -------- dc----w- C:\Windows.old
2010-11-28 06:55:55 -------- d-sh--w- C:\Recovery
2010-11-28 06:49:18 -------- d-----w- c:\windows\system32\wbem\Performance
2010-11-28 05:42:15 -------- dcsh--w- C:\Boot

==================== Find3M ====================

2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll

============= FINISH: 0:48:41.54 ===============

Attached Files


Edited by ThatGirl, 17 December 2010 - 01:09 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 AM

Posted 27 December 2010 - 12:15 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 AM

Posted 30 December 2010 - 11:10 PM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 AM

Posted 02 January 2011 - 11:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users