Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Redirecter/Popup/Malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 alexpwns

alexpwns

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 03 January 2011 - 08:22 PM

I use Vista operating system, 32bit. Dell laptop is a couple of months old.
About a week ago, I started getting Internet Explorer popups, even though I only use Firefox. My computer would also randomly start playing music/advertisements (sound only). Later, notification boxes would pop up saying something along the lines of "The web page you are viewing is trying to close the window". The prompts would just pile up on each other. Finally, google redirects me. I would click on the search results I got from google but instead of going to that page I am redirected to a random site. Prior to all this, I had McAfee, but even after I ran a full scan, nothing turned up. I downloaded and ran Spybot and that found some things and seemed to stop the problem of the notification boxes and the music. However today when I opened my laptop, I had about 5 IE popups and when I tried to use google it redirected me. I downloaded and used Combofix and at the moment Google is not redirecting me but I'd like to be sure. Below are my DDS and GMER logs, and I have the CF log if needed as well. Thanks in advance for the help :thumbup2:
----

DDS (Ver_10-12-12.02) - NTFSx86
Run by Alex at 16:54:36.82 on Mon 01/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.1004 [GMT -8:00]

AV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Yfywea.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Alex\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\alex\appdata\roaming\mozilla\firefox\profiles\f27d05l7.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-15 146448]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-11-30 13336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-12-24 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-12-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-12-24 144704]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-10-30 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-10-30 49152]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-6 50704]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-15 283152]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-11-30 146528]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-12-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-24 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-12-24 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-12-24 40552]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-10-30 167936]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-1-2 1153368]
S2 svcGenericHost;Trend Micro Client/Server Security Agent;"c:\program files\trend micro\client server security agent\hostedagent\svcgenerichost.exe" --> c:\program files\trend micro\client server security agent\hostedagent\svcGenericHost.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-11-30 134144]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-24 27192]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-10-30 38400]
S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;"c:\program files\trend micro\client server security agent\tmpfw.exe" --> c:\program files\trend micro\client server security agent\TmPfw.exe [?]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;"c:\program files\trend micro\client server security agent\tmproxy.exe" --> c:\program files\trend micro\client server security agent\TmProxy.exe [?]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-25 1343400]

=============== Created Last 30 ================

2011-01-04 00:43:24 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-04 00:29:47 98816 ----a-w- c:\windows\sed.exe
2011-01-04 00:29:47 89088 ----a-w- c:\windows\MBR.exe
2011-01-04 00:29:47 256512 ----a-w- c:\windows\PEV.exe
2011-01-04 00:29:47 161792 ----a-w- c:\windows\SWREG.exe
2011-01-04 00:29:37 -------- d-----w- C:\ComboFix
2011-01-02 08:04:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-02 08:04:29 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-01-01 08:10:17 -------- d-----w- c:\users\alex\appdata\local\VS Revo Group
2011-01-01 07:04:03 212480 ----a-w- c:\windows\Yfywea.exe
2011-01-01 07:03:49 76800 --sha-r- c:\windows\system32\shsetupv.dll
2010-12-27 02:59:54 -------- d-----w- c:\program files\CDisplay
2010-12-26 04:58:02 -------- d-----w- c:\users\alex\appdata\local\Microsoft Help
2010-12-26 03:26:53 -------- d-----w- c:\users\alex\appdata\local\Adobe
2010-12-26 03:26:13 -------- d-----w- c:\progra~2\McAfee Security Scan
2010-12-26 03:26:08 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-25 23:20:28 -------- d-----w- c:\users\alex\appdata\local\ElevatedDiagnostics
2010-12-25 23:20:04 -------- d-----w- c:\users\alex\appdata\local\Diagnostics
2010-12-25 11:28:42 -------- d-----w- c:\windows\system32\Wat
2010-12-25 11:12:18 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-25 11:12:18 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-25 11:12:18 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-25 11:12:18 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-25 11:12:17 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-25 11:01:52 -------- d-----w- c:\program files\MSXML 4.0
2010-12-25 05:51:02 -------- d-----w- c:\program files\Motorola
2010-12-25 05:49:53 -------- d-----w- c:\program files\common files\Motorola Shared
2010-12-25 02:18:16 -------- d-----w- c:\users\alex\appdata\roaming\Intel Corporation
2010-12-24 22:22:10 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-12-24 22:22:10 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-12-24 21:49:12 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-12-24 21:49:10 -------- d-----w- c:\program files\VS Revo Group
2010-12-24 21:45:22 -------- d-----w- c:\progra~2\Citrix
2010-12-24 21:44:37 -------- d-----w- c:\program files\Citrix
2010-12-24 21:01:10 176488 ----a-w- c:\progra~2\microsoft\windows\sqm\manifest\Sqm10136.bin
2010-12-24 20:45:58 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-12-24 20:45:57 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-12-24 20:45:57 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-12-24 20:45:55 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-12-24 20:45:44 -------- d-----w- c:\program files\common files\McAfee
2010-12-24 20:45:43 -------- d-----w- c:\program files\McAfee.com
2010-12-24 20:45:42 -------- d-----w- c:\program files\McAfee
2010-12-24 20:44:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-12-24 20:22:53 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-12-24 20:22:50 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4513cae2-1381-4937-9385-f184a39e7102}\mpengine.dll
2010-12-11 19:52:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-12-11 19:14:28 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-11 19:11:58 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2010-12-11 19:11:58 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-12-11 19:11:27 -------- d-----w- c:\program files\Microsoft ActiveSync

==================== Find3M ====================

2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll

============= FINISH: 16:56:03.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:44 PM

Posted 03 January 2011 - 09:38 PM

Hello,

Since you have posted in another forum asking for assistance your topic will now be closed.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users