Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

internet reroute on wifes pc


  • This topic is locked This topic is locked
2 replies to this topic

#1 TNieland

TNieland

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 January 2011 - 02:32 AM

Hi

thanks for the help in advance!! my wife's laptop has a rootkit on it it reroutes internet traffic intermittently. malwarebytes said it detected a rootkit but wont delete it. I've read the prep guide so here it goes.

dds file

DDS (Ver_10-12-12.02) - NTFSx86
Run by Cali at 19:50:26.32 on Tue 01/04/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.835 [GMT -8:00]


============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\acs.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
D:\32788R22FWJFW\iexplore.exe
D:\32788R22FWJFW\FireFox.exe
D:\32788R22FWJFW\FireFox.exe
H:\dds.scr
D:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "d:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] d:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SetDefPrt] e:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
StartupFolder: d:\documents and settings\cali\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: d:\docume~1\cali\startm~1\programs\startup\vcastm~1.lnk - e:\program files\v cast media manager\MEMonitor.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - d:\program files\common files\nikon\monitor\NkMonitor.exe
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\cali\applic~1\mozilla\firefox\profiles\zw9viv89.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\itunes\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 epmntdrv;epmntdrv;d:\windows\system32\epmntdrv.sys [2010-12-8 13192]
S3 EuGdiDrv;EuGdiDrv;d:\windows\system32\EuGdiDrv.sys [2010-12-8 8456]
S4 gupdate;Google Update Service (gupdate);"d:\program files\google\update\googleupdate.exe" /svc --> d:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2011-01-05 02:08:05 -------- d-s---w- D:\ComboFix
2011-01-04 05:24:18 -------- d-----w- d:\windows\SxsCaPendDel
2011-01-02 04:43:53 -------- d-----w- d:\windows\system32\wbem\repository\FS
2011-01-02 04:43:53 -------- d-----w- d:\windows\system32\wbem\Repository
2011-01-01 19:48:07 0 ----a-w- d:\windows\system32\drivers\sst4B.tmp
2010-12-28 03:16:26 -------- d-----w- d:\program files\JumpStart
2010-12-22 22:27:32 -------- d-----w- d:\program files\iPod
2010-12-22 22:23:57 -------- d-----w- d:\program files\Bonjour
2010-12-12 22:53:31 -------- d-----w- d:\docume~1\cali\applic~1\FastStone
2010-12-08 21:21:07 86408 ------w- d:\windows\system32\setupempdrv03.exe
2010-12-08 21:21:07 8456 ------w- d:\windows\system32\EuGdiDrv.sys
2010-12-08 21:21:07 2217088 ------w- d:\windows\system32\BootMan.exe
2010-12-08 21:21:07 14848 ------w- d:\windows\system32\EuEpmGdi.dll
2010-12-08 21:21:07 13192 ------w- d:\windows\system32\epmntdrv.sys
2010-12-08 21:20:52 -------- d-----w- d:\program files\EASEUS

==================== Find3M ====================

2010-11-30 01:38:30 94208 ------w- d:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ------w- d:\windows\system32\QuickTime.qts
2010-11-13 04:11:27 106496 ------w- d:\windows\system32\ATL71.DLL
2010-11-10 01:52:52 73728 ------w- d:\windows\system32\javacpl.cpl
2010-11-10 01:52:52 411368 ------w- d:\windows\system32\deployJava1.dll
2010-10-07 20:23:02 91424 ------w- d:\windows\system32\dnssd.dll
2010-10-07 20:23:02 107808 ------w- d:\windows\system32\dns-sd.exe

============= FINISH: 19:56:40.87 ===============

attach below

gmer below

thanks

Tom

Attached Files



BC AdBot (Login to Remove)

 


#2 TNieland

TNieland
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 January 2011 - 09:07 PM

never mind setup dual boot to vista and cleaned with malwarebytes and avast

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 AM

Posted 07 January 2011 - 03:39 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users