Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirection virus/trojan, blue screens etc


  • This topic is locked This topic is locked
3 replies to this topic

#1 Adrian86

Adrian86

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 April 2011 - 05:58 AM

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Adrian at 21:48:55.43 on Fri 01/04/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.6143.4628 [GMT 11:00]
.
AV: Sophos Anti-Virus *Disabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Sophos Anti-Virus *Disabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\astsrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Windows\SysWOW64\DeltaIITray.exe
C:\Program Files (x86)\Internode\mum.exe
C:\Program Files (x86)\NETGEAR\WN111v2\WN111v2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Adrian\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\Spybot - Search & Destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [InternodeUsage] C:\PROGRA~2\Internode\mum.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk - C:\Program Files (x86)\NETGEAR\WN111v2\WN111v2.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot - Search & Destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
AppInit_DLLs: C:\PROGRA~2\Sophos\Sophos Anti-Virus\sophos_detoured.dll,C:\PROGRA~2\Sophos\Sophos Anti-Virus\sophos_detoured.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [DeltaIITaskbarApp] C:\Windows\SysWOW64\DeltaIITray.exe
mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
AppInit_DLLs-X64: C:\PROGRA~2\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll,C:\PROGRA~2\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\System32\drivers\jswpslwfx.sys [2008-10-1 26624]
R1 SAVOnAccess;SAVOnAccess;C:\Windows\System32\drivers\savonaccess.sys [2011-4-1 142328]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2009-10-16 135336]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2009-10-16 269480]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2009-10-16 83120]
R2 cpuz133;cpuz133;C:\Windows\System32\drivers\cpuz133_x64.sys [2010-6-21 20968]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2011-2-18 21992]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-11-20 240232]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2009-7-27 392712]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2009-11-17 327704]
R3 LVUVC64;Logitech Webcam 300(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2009-11-17 6379288]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files (x86)\NETGEAR\WN111v2\jswpsapi.exe [2008-2-29 942080]
S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\System32\drivers\lvpopf64.sys [2009-11-17 271640]
S3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCAMp50a64.sys [2010-3-18 43328]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCASp50a64.sys [2010-3-18 41280]
S3 SophosBootDriver;SophosBootDriver;C:\Windows\System32\drivers\SophosBootDriver.sys [2011-4-1 25608]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;C:\Windows\System32\drivers\WN111v2w7x.sys [2009-10-21 767488]
S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;C:\Windows\System32\drivers\WNDA31w7x.sys [2009-10-21 767488]
S4 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-4-1 163056]
S4 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2011-4-1 97520]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-03-31 14:10:53 -------- d-----w- C:\PROGRA~3\Sophos Web Intelligence
2011-03-31 14:10:45 -------- d-----w- C:\Program Files (x86)\Common Files\Cisco Systems
2011-03-31 14:10:44 35568 ----a-w- C:\Windows\System32\SophosBootTasks.exe
2011-03-31 14:08:29 142328 ----a-w- C:\Windows\System32\drivers\savonaccess.sys
2011-03-31 14:06:37 25608 ----a-w- C:\Windows\System32\drivers\SophosBootDriver.sys
2011-03-31 12:55:51 -------- d-----w- C:\Users\Adrian\AppData\Local\Sophos
2011-03-31 12:53:17 -------- d-----w- C:\Program Files (x86)\Sophos
2011-03-31 12:53:16 -------- d-----w- C:\PROGRA~3\Sophos
2011-03-31 12:51:08 -------- d-----w- C:\stdtsa
2011-03-31 11:48:43 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-03-31 11:48:43 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2011-03-31 02:46:41 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{85F617EB-A49A-4103-9EFF-CC6EBCC3C1C0}\mpengine.dll
2011-03-31 02:42:07 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-31 02:42:07 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-31 02:42:07 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-31 02:42:07 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-31 02:41:47 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2011-03-31 02:41:47 2690560 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-03-31 02:41:47 1097216 ----a-w- C:\Windows\System32\mstsc.exe
2011-03-31 02:41:47 1034240 ----a-w- C:\Windows\SysWow64\mstsc.exe
2011-03-30 05:09:49 0 ----a-w- C:\Users\Adrian\AppData\Local\Sparu.bin
2011-03-13 13:44:49 737280 ----a-w- C:\Windows\iun6002.exe
2011-03-13 13:44:45 -------- d-----w- C:\Program Files (x86)\Drumagog40
.
==================== Find3M ====================
.
2011-02-02 07:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-05 06:20:30 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-01-05 05:37:33 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2006-05-03 09:06:54 163328 --sh--r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- C:\Windows\SysWOW64\nbDX.dll
.
============= FINISH: 21:49:47.19 ===============

BC AdBot (Login to Remove)

 


#2 Adrian86

Adrian86
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 April 2011 - 06:13 AM

I should add - at the time of the infection Avira detected the following infections and 'quarantined' them.

1. TR/ATRAPS.Gen2 Trojan
2. Contains recognition pattern of the JAVA/Stutter.E Java virus
3. Is the TR/Crypt.ZPACK.Gen2 Trojan
4. Is the TR/Dropper.Gen Trojan
5. Is the TR/Crypt.ZPACK.Gen2 Trojan
6. Is the TR/Crypt.ZPACK.Gen2 Trojan
7. Is the TR/Crypt.ZPACK.Gen2 Trojan
8. Is the TR/Crypt.ZPACK.Gen2 Trojan

#3 Adrian86

Adrian86
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 April 2011 - 10:18 AM

I just ran Kaspersky TDSSKiller on my PC, it found an infection and cleaned it. So far I havent experienced any crashes, blue screens or browser redirects. The problem may be fixed.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 01 April 2011 - 04:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users