Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 leadsister

leadsister

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:11:23 AM

Posted 15 April 2011 - 04:15 PM

One of my workplace computers seems to have this nasty redirecting virus that others are talking about. I was able to run the DDS application, but not the GMER. When I double-click the GMER icon, nothing happens. Attached are the DDR logs and thank you for your help!


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by dgray at 15:09:18.48 on Fri 04/15/2011
Internet Explorer: 9.0.8112.16421
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3292.1935 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\QeNETS\QeNETS QSec\QSec Service.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\QeNETS\QeNETS QSec\QSec.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\dgray\AppData\Local\cleanhdd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\qbw32.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\QeNETS\QeNETS QSec\clamscan.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\dgray\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uInternet Settings,ProxyServer = http=127.0.0.1:25544
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
mRun: [QSec Startup] "c:\program files\qenets\qenets qsec\QSec.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~3.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks enterprise solutions 11.0\QBW32.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks enterprise solutions 11.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 wvauth
IFEO: image file execution options - svchost.exe
Hosts: 209.172.56.114 search.yahoo.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsldc258f9a;MpKsldc258f9a;c:\programdata\microsoft\microsoft antimalware\definition updates\{b365b31a-480b-46eb-9d83-8aaca35f4dc0}\MpKsldc258f9a.sys [2011-4-15 28752]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-12-2 1251840]
R2 QSec;QeNETS QSec Service;c:\program files\qenets\qenets qsec\QSec Service.exe [2010-4-7 28672]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-2-23 273448]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-4 1343400]
SUnknown dgyckukw;dgyckukw; [x]
.
=============== Created Last 30 ================
.
2011-04-15 21:08:21 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b365b31a-480b-46eb-9d83-8aaca35f4dc0}\MpKsldc258f9a.sys
2011-04-15 21:08:13 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b365b31a-480b-46eb-9d83-8aaca35f4dc0}\mpengine.dll
2011-04-13 19:04:00 -------- d-----w- c:\program files\CleanUp!
2011-04-13 14:17:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-13 14:17:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-13 14:17:07 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-13 14:17:07 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-13 14:17:07 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-04-13 14:17:07 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-13 14:17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-13 14:17:00 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-04-13 14:16:59 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-13 14:16:55 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-13 14:16:54 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-13 14:16:53 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-13 14:16:53 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-13 14:16:46 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-13 14:16:46 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-13 14:16:46 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-13 14:16:46 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-12 20:29:45 -------- d-----w- c:\windows\pss
2011-04-12 20:19:23 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-12 20:19:22 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2011-04-05 16:22:08 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e2cada4a-01f2-41b7-b663-1ef8a015460c}\gapaengine.dll
2011-03-30 18:33:46 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-03-30 18:33:44 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-30 18:26:12 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-29 15:49:19 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0893ba9b-7522-482e-9631-b2da0f5217e5}\mpengine.dll
.
==================== Find3M ====================
.
2011-02-23 15:33:08 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-01-17 05:47:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll
.
============= FINISH: 15:10:03.61 ===============

Attached Files


Edited by leadsister, 15 April 2011 - 04:16 PM.

-Rochelle

BC AdBot (Login to Remove)

 


#2 leadsister

leadsister
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Utah
  • Local time:11:23 AM

Posted 18 April 2011 - 09:42 AM

Please close this thread. I have had a reply on another forum. Thank you!
-Rochelle

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 18 April 2011 - 04:24 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users