Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 tienson

tienson

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 18 February 2011 - 07:43 PM

I have 3 machines infected w/ this all different OS this is the first one. thnx for you time on this


DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/5/2011 11:45:05 AM
System Uptime: 2/12/2011 6:57:58 PM (142 hours ago)

Motherboard: Dell Inc. | | 0GM819
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | CPU | 2327/1333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 373 GiB total, 366.804 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_29B2&SUBSYS_02111028&REV_02\3&172E68DD&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_29B2&SUBSYS_02111028&REV_02\3&172E68DD&0&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_29B3&SUBSYS_02111028&REV_02\3&172E68DD&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_29B3&SUBSYS_02111028&REV_02\3&172E68DD&0&11
Service:

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_29B4&SUBSYS_02111028&REV_02\3&172E68DD&0&18
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel 82542-based Gigabit Adapter
Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Manufacturer: Intel
Name: Intel 82542-based Gigabit Adapter
PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Service: E1000

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jason at 16:12:06.53 on Fri 02/18/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1435 [GMT -8:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jason\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ativaw~1.lnk - c:\program files\ativa\usb awgua54\wireless utility\Ativawcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\4fjd8p3s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl1a70944e;MpKsl1a70944e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c3b718f6-0dc6-48b3-8e8d-beaa0a6d3cf3}\MpKsl1a70944e.sys [2011-2-17 28752]
S0 cerc6;cerc6; [x]
S3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [2011-2-5 408064]

=============== Created Last 30 ================

2011-02-18 23:01:42 -------- d-----w- c:\docume~1\jason\applic~1\Malwarebytes
2011-02-18 23:01:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-18 23:01:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-18 23:01:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-18 23:01:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-18 03:11:59 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{c3b718f6-0dc6-48b3-8e8d-beaa0a6d3cf3}\MpKsl1a70944e.sys
2011-02-18 03:11:48 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{c3b718f6-0dc6-48b3-8e8d-beaa0a6d3cf3}\mpengine.dll
2011-02-13 20:04:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-13 20:04:27 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-13 20:04:27 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-13 03:10:53 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-02-13 03:10:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-13 03:06:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-13 02:55:04 -------- d-----w- C:\Intel
2011-02-13 02:38:02 66424 ----a-w- c:\windows\system32\NicEtCoE.dll
2011-02-13 02:38:02 62840 ----a-w- c:\windows\system32\NicInstE.dll
2011-02-13 02:38:02 28536 ----a-w- c:\windows\system32\NicCo.dll
2011-02-13 02:38:02 254872 ----a-w- c:\windows\system32\drivers\e1e5132.sys
2011-02-13 02:38:02 179048 ----a-w- c:\windows\system32\e1000msg.dll
2011-02-13 02:38:02 154496 ----a-w- c:\windows\system32\Prounstl.exe
2011-02-13 02:23:20 -------- d-sh--w- c:\documents and settings\jason\IECompatCache
2011-02-13 02:22:24 -------- d-sh--w- c:\documents and settings\jason\PrivacIE
2011-02-13 02:21:28 -------- d-sh--w- c:\documents and settings\jason\IETldCache
2011-02-13 02:13:54 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-02-13 02:13:47 -------- d-----w- c:\windows\ie8updates
2011-02-13 02:13:44 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-13 02:13:44 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-02-13 02:13:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-02-13 02:13:44 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-13 02:13:44 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-02-13 02:13:44 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-02-13 02:13:44 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-02-13 02:13:30 -------- dc-h--w- c:\windows\ie8
2011-02-13 02:08:59 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-13 02:08:59 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-13 02:08:58 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-13 02:08:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-13 02:08:48 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-02-13 02:08:48 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-02-13 02:08:44 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-02-13 02:06:38 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-02-13 02:06:38 -------- d-----w- c:\windows\system32\PreInstall
2011-02-13 02:06:37 -------- d--h--w- c:\windows\$hf_mig$
2011-02-13 02:04:47 -------- d-sh--w- c:\documents and settings\jason\UserData
2011-02-13 02:04:37 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-02-13 01:37:17 0 ----a-w- c:\windows\invcol.tmp
2011-02-12 22:06:58 -------- d-----w- c:\windows\system32\appmgmt
2011-02-12 21:59:26 -------- d-----w- c:\docume~1\jason\locals~1\applic~1\Identities
2011-02-12 05:29:00 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-02-12 05:29:00 50719 ----a-w- c:\windows\system32\drivers\e1000nt5.sys
2011-02-12 05:20:52 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-02-12 04:16:07 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-12 04:16:07 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-12 04:12:56 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-12 04:12:56 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-12 04:12:45 3328 -c--a-w- c:\windows\system32\dllcache\pciide.sys
2011-02-12 04:12:45 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2011-02-05 20:40:10 408064 ----a-r- c:\windows\system32\drivers\ODWGU.sys
2011-02-05 20:40:03 -------- d-----w- c:\program files\Ativa
2011-02-05 20:39:55 -------- d-----w- c:\windows\Downloaded Installations
2011-02-05 20:02:05 -------- d-----w- c:\windows\system32\ReinstallBackups


gmer log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-18 16:34:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GMDO
Running: 4m7xkqon.exe; Driver: C:\DOCUME~1\Jason\LOCALS~1\Temp\pwliafoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Jason\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:01 AM

Posted 19 February 2011 - 09:55 AM

Lets try resetting your router to see if it fixes the issues you are experiencing:

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
  • Under General tab:
  • Select "Obtain an IP address automatically".
  • Select "Obtain DNS server address automatically".

[*]Click OK twice to save the settings.
[*]Reboot if you had to change any setting.[/list][/list]

NEXT:



Flush the DNS cache
  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following
ipconfig /flushdns
  • then hit enter
  • Exit the command window.

After that, Reboot

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 tienson

tienson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 19 February 2011 - 07:27 PM

this seems to have worked thank you i assume i repeat the dns flush on the other machines

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:01 AM

Posted 19 February 2011 - 07:28 PM

Yes.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 tienson

tienson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 19 February 2011 - 07:44 PM

after running multiple antivirus/malware programs and rootkills i had run out of options. this has worked on all computers and the router is secured. Thank you very much for your speedy help you guys are awesome.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:01 AM

Posted 19 February 2011 - 07:49 PM

You more than welcome. Glad to be of assistance.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:01 AM

Posted 22 February 2011 - 07:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users