Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus/cannot run anti Malweare


  • This topic is locked This topic is locked
4 replies to this topic

#1 camperguy

camperguy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 10 November 2011 - 04:16 PM

I have a networked computer that seems to have gotten a redirect virus and I cannot get rid of it. I am not able to run anti malware such as Malwarebytes, AV TDSSkiller, etc. I have tried in safe mode and still nothing.

Please help, Thanks

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:56 AM

Posted 10 November 2011 - 04:24 PM

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 camperguy

camperguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 10 November 2011 - 04:53 PM

Thanks, below is the DDS report, I cannot run the GMER, i tried twice and the scan runs for about 90 seconds and than the program closes.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by counter at 15:35:59 on 2011-11-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.427 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\4148091121:237486344.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
"C:\WINDOWS\system32\svchost.exe"
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com
uWinlogon: Shell=c:\documents and settings\counter\local settings\application data\f1d83ef7\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CherryKeyMan] "c:\program files\cherry\keyman\KeyMan.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Iratub] rundll32.exe "c:\windows\ohowupomu.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 10.1.1.2 8.8.8.8
TCP: Interfaces\{74C09F85-3EDE-4921-A09E-14B1C29D6CA1} : DhcpNameServer = 10.1.1.2 8.8.8.8
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\counter\application data\mozilla\firefox\profiles\06nvgmk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {44C2EF29-A429-430B-B9B5-8174DB0EB8FB} - c:\documents and settings\mdoughty\local settings\application data\{44C2EF29-A429-430B-B9B5-8174DB0EB8FB}
FF - Ext: XULRunner: {1DFD32A0-3D86-4600-9D4A-B271ADCF82E0} - c:\documents and settings\administrator.dicksrv.000\local settings\application data\{1DFD32A0-3D86-4600-9D4A-B271ADCF82E0}
FF - Ext: XULRunner: {51DD8DFB-BC75-47C1-AC0C-FBCE637411A5} - c:\documents and settings\administrator\local settings\application data\{51DD8DFB-BC75-47C1-AC0C-FBCE637411A5}
FF - Ext: XULRunner: {E4BD6C2C-78CB-4F84-B52C-3900033D9C8F} - c:\documents and settings\counter\local settings\application data\{E4BD6C2C-78CB-4F84-B52C-3900033D9C8F}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-5-24 214664]
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\cherry\cdi\CDI.exe [2004-9-16 516096]
R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\epson\epson advanced printer driver 4\EpsonPHLog.exe [2009-3-28 294912]
R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2004-4-22 121870]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-12-13 20480]
S3 Ch2kHUB;Cherry USB Hub Driver for CDI;c:\windows\system32\drivers\Ch2kHUB.sys [2003-7-15 82048]
S3 Ch2kUSB;Cherry USB Driver for CDI;c:\windows\system32\drivers\Ch2kUSB.sys [2004-10-26 90702]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2006-5-24 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2006-5-24 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-8-31 34248]
.
=============== Created Last 30 ================
.
2011-11-10 17:58:07 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-10 17:53:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 17:53:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-10 17:37:44 -------- d-----w- c:\documents and settings\counter\local settings\application data\Help
2011-11-10 17:37:34 -------- d-----w- c:\program files\common files\iS3
2011-11-10 17:08:35 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-10 17:03:54 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-10 16:41:41 2 --shatr- c:\windows\winstart.bat
2011-11-10 16:41:35 -------- d-----w- c:\program files\UnHackMe
2011-11-10 16:40:52 -------- d-----w- c:\program files\StartNow Toolbar
2011-11-09 23:23:12 48016 --sha-w- c:\windows\system32\c_56714.nl_
2011-11-09 17:53:38 -------- d-----w- c:\documents and settings\counter\application data\Malwarebytes
2011-11-09 17:00:55 -------- d-sh--w- c:\documents and settings\counter\local settings\application data\f1d83ef7
2011-10-19 18:12:01 -------- d-----w- c:\documents and settings\all users\application data\Epson
2011-10-19 18:12:00 -------- d-----w- c:\program files\EPSON
2011-10-19 17:52:17 -------- d-----w- c:\documents and settings\counter\application data\RVLogic
2011-10-19 17:52:10 -------- d-----w- c:\documents and settings\counter\application data\RV Logic, Inc
2011-10-17 14:04:11 -------- d-----w- c:\documents and settings\counter\application data\HpUpdate
2011-10-14 19:33:25 -------- d-----w- c:\documents and settings\counter\local settings\application data\Google
2011-10-13 19:49:53 -------- d-----w- c:\documents and settings\counter\local settings\application data\Adobe
2011-10-13 18:33:42 -------- d-----w- c:\documents and settings\counter\local settings\application data\Mozilla
2011-10-13 17:17:29 -------- d-----w- c:\documents and settings\counter\application data\DealerLogicDMS
2011-10-13 17:07:32 -------- d-----w- C:\Temp
2011-10-13 17:07:02 -------- d-----w- c:\documents and settings\counter\local settings\application data\{E4BD6C2C-78CB-4F84-B52C-3900033D9C8F}
2011-10-13 17:07:01 -------- d-----w- c:\documents and settings\counter\application data\Cherry
.
==================== Find3M ====================
.
2011-11-10 18:38:22 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2011-11-10 18:28:19 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-11-10 14:39:40 0 ----a-w- c:\windows\Pjajaliroquqof.bin
2011-11-10 00:01:11 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-09 23:37:35 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-09 23:22:38 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-21 13:18:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll
2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 15:37:07.19 ===============

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:56 AM

Posted 10 November 2011 - 05:00 PM

Hello, I am interupting as One.. You need to repost that DDS log

Broni's instructions

Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

.

Two,,, I am deleting your Other posts that I also replied too. As it wastes time when 2 people are replying to you.

Edited by boopme, 10 November 2011 - 08:58 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 PM

Posted 10 November 2011 - 05:30 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic427298.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users