Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect in Vista Ultimate


  • This topic is locked This topic is locked
13 replies to this topic

#1 bleepedindeed

bleepedindeed

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 13 July 2011 - 09:06 AM

Hello, from the infected machine. It is a dual boot setup with XP, which I rarely use. It appears I have something at least annoying, which will get worse. My Avira free did not find the infection, either. It is not redirecting me every time, so at least the computer is usable. Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 13 July 2011 - 11:46 AM

There are various ways a malware infection can cause browser issues, loss of connectivity and redirects.

Please download MiniToolBox by farbar and save it to your desktop.

Close all open browsers, double-click on the file to launch the utility and check the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Users, Partitions and Memory size
Click Go and a log file named Result.txt will open in Notepad with the results. Copy and paste the contents in your next reply.


Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click on the setup file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 14 July 2011 - 09:25 AM

Okay, here goes:

MiniToolBox by Farbar
Ran by Administrator (administrator) on 14-07-2011 at 10:12:51
Windows Vista ™ Ultimate Service Pack 1 (X86)

***************************************************************************


================= Flush DNS: ==============================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

== End of Flush DNS ==

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:64889

== End of IE Proxy Settings ==

========================= FF Proxy Settings: ==============================

"network.proxy.share_proxy_settings", true
"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 64889
"network.proxy.type", 1

== End of FF Proxy Settings ==
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

== End of Hosts ==

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : VistaUltimate
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys LNE100TX(v5) Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-04-5A-56-66-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d3c:e662:7e43:c99e%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 12, 2011 1:48:42 PM
Lease Expires . . . . . . . . . . : Friday, July 15, 2011 1:48:41 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 167.206.251.129
167.206.251.130
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-21-85-99-E1-66
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{E6D93428-6D6B-4C4F-9D14-F487F2867A6A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{BF1EC202-A8A8-4297-9520-3C593B0D1157}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1cb0:2323:3f57:fe9b(Preferred)
Link-local IPv6 Address . . . . . : fe80::1cb0:2323:3f57:fe9b%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: vdns1.srv.whplny.cv.net
Address: 167.206.251.129

Name: google.com
Addresses: 74.125.115.105
74.125.115.104
74.125.115.99
74.125.115.106
74.125.115.103
74.125.115.147



Pinging google.com [74.125.115.147] with 32 bytes of data:

Reply from 74.125.115.147: bytes=32 time=41ms TTL=52

Reply from 74.125.115.147: bytes=32 time=27ms TTL=52



Ping statistics for 74.125.115.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 41ms, Average = 34ms

Server: vdns1.srv.whplny.cv.net
Address: 167.206.251.129

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=64ms TTL=50

Reply from 209.191.122.70: bytes=32 time=60ms TTL=50



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 60ms, Maximum = 64ms, Average = 62ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
12 ...00 04 5a 56 66 6b ...... Linksys LNE100TX(v5) Fast Ethernet Adapter
10 ...00 21 85 99 e1 66 ...... NVIDIA nForce Networking Controller
1 ........................... Software Loopback Interface 1
11 ...00 00 00 00 00 00 00 e0 isatap.{E6D93428-6D6B-4C4F-9D14-F487F2867A6A}
13 ...00 00 00 00 00 00 00 e0 isatap.{BF1EC202-A8A8-4297-9520-3C593B0D1157}
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 276
192.168.1.100 255.255.255.255 On-link 192.168.1.100 276
192.168.1.255 255.255.255.255 On-link 192.168.1.100 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 18 ::/0 On-link
1 306 ::1/128 On-link
14 18 2001::/32 On-link
14 266 2001:0:4137:9e76:1cb0:2323:3f57:fe9b/128
On-link
12 276 fe80::/64 On-link
14 266 fe80::/64 On-link
14 266 fe80::1cb0:2323:3f57:fe9b/128
On-link
12 276 fe80::8d3c:e662:7e43:c99e/128
On-link
1 306 ff00::/8 On-link
14 266 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

== End of IP Configuration ==

========================= Memory info: ====================================

Percentage of memory in use: 57%
Total physical RAM: 1982.64 MB
Available physical RAM: 841.34 MB
Total Pagefile: 4207.8 MB
Available Pagefile: 2430.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.89 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:127.99 GB) (Free:84.52 GB) NTFS
3 Drive e: (Vista) (Fixed) (Total:117.19 GB) (Free:85.86 GB) NTFS
4 Drive g: (Music) (Fixed) (Total:97.66 GB) (Free:19.46 GB) NTFS
5 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive i: () (Removable) (Total:1.9 GB) (Free:1.37 GB) FAT32

================= Users: ==================================================

User accounts for \\VISTAULTIMATE

-------------------------------------------------------------------------------
Administrator Guest UpdatusUser
The command completed successfully.

== End of Users ==

And:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7136

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/14/2011 10:24:21 AM
mbam-log-2011-07-14 (10-23-58).txt

Scan type: Quick scan
Objects scanned: 168167
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
e:\Users\administrator\AppData\Roaming\dwm.exe (Backdoor.Cycbot) -> 3320 -> No action taken.
e:\Users\administrator\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> 4392 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (E:\Users\ADMINI~1\AppData\Local\Temp\csrss.exe) Good: () -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
e:\Users\administrator\AppData\Roaming\dwm.exe (Backdoor.Cycbot) -> No action taken.
e:\Users\administrator\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> No action taken.
e:\Users\administrator\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> No action taken.

I guess I am not supposed to have MB remove these?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 14 July 2011 - 11:14 AM

Some infections will alter the Proxy settings in Internet Explorer and Proxy settings in Firefox. Your log shows these settings have been enabled. Generally people who have this setting are aware of it. If you did not configure those settings, then continue as follows:

Rerun MiniToolBox again.

Close all open browsers, double-click on the file to launch the utility and this time check the following checkboxes:
  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
Click Go and a log file named Result.txt will open in Notepad with the results. Copy and paste the contents in your next reply.


Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 14 July 2011 - 02:33 PM

Some infections will alter the Proxy settings in Internet Explorer and Proxy settings in Firefox. Your log shows these settings have been enabled. Generally people who have this setting are aware of it. If you did not configure those settings, then continue as follows:

Rerun MiniToolBox again.

Close all open browsers, double-click on the file to launch the utility and this time check the following checkboxes:

  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
Click Go and a log file named Result.txt will open in Notepad with the results. Copy and paste the contents in your next reply.

Just those two boxes, or those two boxes along with the ones you had me chack last time?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 14 July 2011 - 02:45 PM

Just those two boxes

Yes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 14 July 2011 - 04:01 PM

I thought I did it wrong. Here is the first log:

MiniToolBox by Farbar
Ran by Administrator (administrator) on 14-07-2011 at 15:31:56
Windows Vista ™ Ultimate Service Pack 1 (X86)

***************************************************************************


"Reset IE Proxy Settings": IE Proxy Settings were reset.


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

And the Malware Bytes:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7139

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/14/2011 4:42:23 PM
mbam-log-2011-07-14 (16-42-23).txt

Scan type: Full scan (C:\|E:\|G:\|I:\|)
Objects scanned: 279822
Time elapsed: 32 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you for all of your help!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 14 July 2011 - 05:39 PM

Not a problem.

How is your computer running now? Are there any more signs of infection?...strange audio ads, unwanted pop-ups, security alerts, or browser redirects?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 22 July 2011 - 02:00 PM

Unfortunately, the redirects are back. It was okay for a while. I also get random spam emails, if that means anything.
Now what?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 22 July 2011 - 02:05 PM

It has been over a week so it appears you have been reinfected. TDSSKiller was updated...have you tried downloading the latest version and doing a scan?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 22 July 2011 - 03:51 PM

Done, it found nothing. Continuing with minitoolbox:

MiniToolBox by Farbar
Ran by Administrator (administrator) on 22-07-2011 at 16:38:24
Windows Vista ™ Ultimate Service Pack 1 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : VistaUltimate
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys LNE100TX(v5) Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-04-5A-56-66-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d3c:e662:7e43:c99e%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 21, 2011 9:23:47 AM
Lease Expires . . . . . . . . . . : Saturday, July 23, 2011 9:23:41 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 167.206.251.129
167.206.251.130
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-21-85-99-E1-66
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{E6D93428-6D6B-4C4F-9D14-F487F2867A6A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{BF1EC202-A8A8-4297-9520-3C593B0D1157}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:20fa:356e:3f57:fe9b(Preferred)
Link-local IPv6 Address . . . . . : fe80::20fa:356e:3f57:fe9b%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: vdns1.srv.whplny.cv.net
Address: 167.206.251.129

Name: google.com
Addresses: 74.125.115.103
74.125.115.106
74.125.115.104
74.125.115.99
74.125.115.147
74.125.115.105



Pinging google.com [74.125.115.104] with 32 bytes of data:

Reply from 74.125.115.104: bytes=32 time=29ms TTL=51

Reply from 74.125.115.104: bytes=32 time=29ms TTL=51



Ping statistics for 74.125.115.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 29ms, Maximum = 29ms, Average = 29ms

Server: vdns1.srv.whplny.cv.net
Address: 167.206.251.129

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=75ms TTL=52

Reply from 209.191.122.70: bytes=32 time=66ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 66ms, Maximum = 75ms, Average = 70ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
12 ...00 04 5a 56 66 6b ...... Linksys LNE100TX(v5) Fast Ethernet Adapter
10 ...00 21 85 99 e1 66 ...... NVIDIA nForce Networking Controller
1 ........................... Software Loopback Interface 1
11 ...00 00 00 00 00 00 00 e0 isatap.{E6D93428-6D6B-4C4F-9D14-F487F2867A6A}
13 ...00 00 00 00 00 00 00 e0 isatap.{BF1EC202-A8A8-4297-9520-3C593B0D1157}
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 276
192.168.1.100 255.255.255.255 On-link 192.168.1.100 276
192.168.1.255 255.255.255.255 On-link 192.168.1.100 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 18 ::/0 On-link
1 306 ::1/128 On-link
14 18 2001::/32 On-link
14 266 2001:0:4137:9e76:20fa:356e:3f57:fe9b/128
On-link
12 276 fe80::/64 On-link
14 266 fe80::/64 On-link
14 266 fe80::20fa:356e:3f57:fe9b/128
On-link
12 276 fe80::8d3c:e662:7e43:c99e/128
On-link
1 306 ff00::/8 On-link
14 266 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Memory info: ===================================

Percentage of memory in use: 55%
Total physical RAM: 1982.64 MB
Available physical RAM: 887.45 MB
Total Pagefile: 4207.78 MB
Available Pagefile: 2806.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.89 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:127.99 GB) (Free:89.31 GB) NTFS
3 Drive e: (Vista) (Fixed) (Total:117.19 GB) (Free:84.68 GB) NTFS
4 Drive g: (Music) (Fixed) (Total:97.66 GB) (Free:19.46 GB) NTFS
5 Drive h: (Cruzer) (Removable) (Total:7.47 GB) (Free:4.47 GB) FAT32

========================= Users: ========================================

User accounts for \\VISTAULTIMATE

Administrator Guest UpdatusUser


== End of log ==
Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7233

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/22/2011 4:50:19 PM
mbam-log-2011-07-22 (16-50-12).txt

Scan type: Quick scan
Objects scanned: 169769
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I have a Trojan! Oh boy.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 22 July 2011 - 04:27 PM

I have a Trojan! Oh boy.

No it's a remnant of a related registry key.

Mostly likely you are dealing with an undetected rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 27 July 2011 - 02:09 AM

New thread started.

http://www.bleepingcomputer.com/forums/topic411160.html

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 27 July 2011 - 06:41 AM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users