Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Redirecting and Some sites not working


  • Please log in to reply
3 replies to this topic

#1 liishang

liishang

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 05 April 2012 - 05:25 PM

Hello
My computer is experiencing some internet issues. I can not connect to some sites such as Google, Facebook, and Tumblr. I have also been redirected when surfing the internet. The redirecting is more like a pop-up ad. While I do stuff on the Internet, like browsing through a site, or watching a youtube video, a pop-up appears as a new tab that is directed at sites I never go to. Am I infected?
Thanks in Advance for all the help.

Edited by liishang, 05 April 2012 - 05:25 PM.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 AM

Posted 05 April 2012 - 07:03 PM

Hello,

I will be helping you with your problems
Please do the following:

Step 1

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Step 2

Please download Farbar Service Scanner to your Desktop and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step 3

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Step 4

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes'
    Anti-Malware
    and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 liishang

liishang
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 07 April 2012 - 03:42 PM

The results from the Security Check :


Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 1 x86 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2012
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 6 Update 26
Java™ SE Runtime Environment 6 Update 1
Java version out of date!
Adobe Flash Player 11.0.1.152
Adobe Reader 8 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


The results from the FarBar Service Scanner:

Farbar Service Scanner Version: 01-03-2012
Ran by Me (administrator) on 07-04-2012 at 15:08:32
Running from "C:\Users\Me\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
The ServiceDll of MpsSvc service is OK.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of bfe. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of bfe. The value does not exist.
The ServiceDll of bfe service is OK.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of wscsvc. The value does not exist.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of WinDefend. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of WinDefend. The value does not exist.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2008-01-20 21:24] - [2008-01-20 21:24] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D

C:\Windows\system32\Drivers\afd.sys
[2011-06-14 14:32] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2010-08-10 19:16] - [2010-06-16 10:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9

C:\Windows\system32\dnsrslvr.dll
[2011-04-12 22:41] - [2011-03-02 09:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D

C:\Windows\system32\mpssvc.dll
[2008-01-20 21:24] - [2008-01-20 21:24] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B

C:\Windows\system32\bfe.dll
[2008-01-20 21:23] - [2008-01-20 21:23] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2008-01-20 21:23] - [2008-01-20 21:23] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23

C:\Windows\system32\wscsvc.dll
[2008-01-20 21:23] - [2008-01-20 21:23] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C

C:\Windows\system32\wbem\WMIsvc.dll
[2008-01-20 21:24] - [2008-01-20 21:24] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5

C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2008-01-20 21:25] - [2008-01-20 21:25] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D

C:\Windows\system32\es.dll
[2008-08-12 21:37] - [2008-04-18 00:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465

C:\Windows\system32\cryptsvc.dll
[2008-01-20 21:24] - [2008-01-20 21:24] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-04-14 21:05] - [2009-03-02 23:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830



**** End of log ****

The results from the MiniToolBox


MiniToolBox by Farbar Version: 18-01-2012
Ran by Me (administrator) on 07-04-2012 at 15:12:25
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

NETGEAR WNA1100 N150 Wireless USB Adapter = Wireless Network Connection 2 (Connected)
NVIDIA nForce Networking Controller = Local Area Connection (Media disconnected)
D-Link WDA-2320 Desktop Adapter = Wireless Network Connection (Media disconnected)
The following helper DLL cannot be loaded: WSHELPER.DLL.
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.

Windows IP Configuration

Host Name . . . . . . . . . . . . : LilyYu-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : NETGEAR WNA1100 N150 Wireless USB Adapter
Physical Address. . . . . . . . . : C4-3D-C7-C9-C5-E1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b04b:7416:fbe0:b161%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, April 07, 2012 12:39:10 PM
Lease Expires . . . . . . . . . . : Tuesday, May 14, 2148 9:41:13 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link WDA-2320 Desktop Adapter
Physical Address. . . . . . . . . : 00-1C-F0-D3-8C-D8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Networking Controller
Physical Address. . . . . . . . . : 00-1E-90-2F-78-A6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.Belkin
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{EA76CB46-2C32-4956-B29B-876E2B444942}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{E2A36737-7BCA-4E20-9F80-2E810E4B290D}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes


Pinging google.com [74.125.225.102] with 32 bytes of data:

Reply from 74.125.225.102: bytes=32 time=561ms TTL=53

Reply from 74.125.225.102: bytes=32 time=622ms TTL=53



Ping statistics for 74.125.225.102:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 561ms, Maximum = 622ms, Average = 591ms



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=283ms TTL=44

Reply from 209.191.122.70: bytes=32 time=90ms TTL=44



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 283ms, Average = 186ms



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
14 ...c4 3d c7 c9 c5 e1 ...... NETGEAR WNA1100 N150 Wireless USB Adapter
11 ...00 1c f0 d3 8c d8 ...... D-Link WDA-2320 Desktop Adapter
10 ...00 1e 90 2f 78 a6 ...... NVIDIA nForce 10/100 Mbps Networking Controller
1 ........................... Software Loopback Interface 1
16 ...00 00 00 00 00 00 00 e0 isatap.Belkin
12 ...00 00 00 00 00 00 00 e0 isatap.{EA76CB46-2C32-4956-B29B-876E2B444942}
13 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
15 ...00 00 00 00 00 00 00 e0 isatap.{E2A36737-7BCA-4E20-9F80-2E810E4B290D}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.2 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.2 281
192.168.2.2 255.255.255.255 On-link 192.168.2.2 281
192.168.2.255 255.255.255.255 On-link 192.168.2.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.2 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
14 281 fe80::/64 On-link
14 281 fe80::b04b:7416:fbe0:b161/128
On-link
1 306 ff00::/8 On-link
14 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 mswsock.dll [File Not found] ()
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()
Catalog9 26 mswsock.dll [File Not found] ()
Catalog9 27 mswsock.dll [File Not found] ()
Catalog9 28 mswsock.dll [File Not found] ()
Catalog9 29 mswsock.dll [File Not found] ()
Catalog9 30 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/07/2012 03:13:30 PM) (Source: Application Error) (User: )
Description: Faulting application nslookup.exe, version 6.0.6001.18000, time stamp 0x47918e19, faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000138, fault offset 0x00009cfc,
process id 0x1e70, application start time 0xnslookup.exe0.

Error: (04/07/2012 03:13:22 PM) (Source: Application Error) (User: )
Description: Faulting application nslookup.exe, version 6.0.6001.18000, time stamp 0x47918e19, faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000138, fault offset 0x00009cfc,
process id 0x271c, application start time 0xnslookup.exe0.

Error: (04/07/2012 03:13:06 PM) (Source: Application Error) (User: )
Description: Faulting application nslookup.exe, version 6.0.6001.18000, time stamp 0x47918e19, faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000138, fault offset 0x00009cfc,
process id 0x1cf8, application start time 0xnslookup.exe0.

Error: (04/07/2012 02:09:40 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 7.0.6001.18639 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 1188
Start Time: 01cd14f156292f6e
Termination Time: 184

Error: (04/07/2012 00:49:19 PM) (Source: Application Error) (User: )
Description: Faulting application AirPlusCFG.exe, version 4.0.1.61116, time stamp 0x455c2457, faulting module wlanapi.dll!apsApply, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000139, fault offset 0x00009cfc,
process id 0x300, application start time 0xAirPlusCFG.exe0.

Error: (04/07/2012 00:40:35 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/06/2012 10:20:33 PM) (Source: Application Error) (User: )
Description: Faulting application AirPlusCFG.exe, version 4.0.1.61116, time stamp 0x455c2457, faulting module wlanapi.dll!apsApply, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000139, fault offset 0x00009cfc,
process id 0x2a0, application start time 0xAirPlusCFG.exe0.

Error: (04/06/2012 10:19:03 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/06/2012 10:49:07 AM) (Source: Application Error) (User: )
Description: Faulting application AirPlusCFG.exe, version 4.0.1.61116, time stamp 0x455c2457, faulting module wlanapi.dll!apsApply, version 6.0.6001.18538, time stamp 0x4cb733dc, exception code 0xc0000139, fault offset 0x00009cfc,
process id 0xf8, application start time 0xAirPlusCFG.exe0.

Error: (04/06/2012 10:46:47 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/07/2012 00:45:35 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070424

Error: (04/07/2012 00:42:49 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070424

Error: (04/07/2012 00:40:41 PM) (Source: Service Control Manager) (User: )
Description: HP CUE DeviceDiscovery Service

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Dladresm%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Issm%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Aaksrv%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Protectionservice%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Downloadmanagerlite%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Wencrservice%%126

Error: (04/07/2012 00:40:36 PM) (Source: Service Control Manager) (User: )
Description: Nm%%126


Microsoft Office Sessions:
=========================
Error: (04/07/2012 03:13:30 PM) (Source: Application Error)(User: )
Description: nslookup.exe6.0.6001.1800047918e19ntdll.dll6.0.6001.185384cb733dcc000013800009cfc1e7001cd14fae536cd8e

Error: (04/07/2012 03:13:22 PM) (Source: Application Error)(User: )
Description: nslookup.exe6.0.6001.1800047918e19ntdll.dll6.0.6001.185384cb733dcc000013800009cfc271c01cd14fade421a2e

Error: (04/07/2012 03:13:06 PM) (Source: Application Error)(User: )
Description: nslookup.exe6.0.6001.1800047918e19ntdll.dll6.0.6001.185384cb733dcc000013800009cfc1cf801cd14fad35b6c1e

Error: (04/07/2012 02:09:40 PM) (Source: Application Hang)(User: )
Description: iexplore.exe7.0.6001.18639118801cd14f156292f6e184

Error: (04/07/2012 00:49:19 PM) (Source: Application Error)(User: )
Description: AirPlusCFG.exe4.0.1.61116455c2457wlanapi.dll!apsApply6.0.6001.185384cb733dcc000013900009cfc30001cd14e629447b9e

Error: (04/07/2012 00:40:35 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/06/2012 10:20:33 PM) (Source: Application Error)(User: )
Description: AirPlusCFG.exe4.0.1.61116455c2457wlanapi.dll!apsApply6.0.6001.185384cb733dcc000013900009cfc2a001cd146d1ecf09e3

Error: (04/06/2012 10:19:03 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/06/2012 10:49:07 AM) (Source: Application Error)(User: )
Description: AirPlusCFG.exe4.0.1.61116455c2457wlanapi.dll!apsApply6.0.6001.185384cb733dcc000013900009cfcf801cd140c7461394d

Error: (04/06/2012 10:46:47 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


=========================== Installed Programs ============================

µTorrent (Version: 2.2.0)
Adobe AIR (Version: 1.1.0.5790)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Reader 8.1.3 (Version: 8.1.3)
Adobe Shockwave Player 11.5 (Version: 11.5.1.601)
AIM 7
ANIO Service
ANIWZCS2 Service
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (Version: 2.1.3.127)
Audition (Version: 1.00.0000)
Auslogics Disk Defrag (Version: version 3.1)
AVG 2012 (Version: 12.0.2126)
AVG 2012 (Version: 12.0.2409)
AVG 2012 (Version: 2012.0.2126)
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 100.0.170.000)
CCleaner (Version: 2.33)
Cheat Engine 6.1
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CustomerResearchQFolder (Version: 1.00.0000)
CyberLink DVD Suite Deluxe (Version: 5.5.1329)
CyberLink PowerDirector (Version: 6.5.2726)
D1500 (Version: 100.0.206.000)
D1500_Help (Version: 100.0.206.000)
DeviceDiscovery (Version: 100.0.190.000)
DeviceManagementQFolder (Version: 1.00.0000)
DJ_SF_03_D1500_ProductContext (Version: 100.0.206.000)
DJ_SF_03_D1500_Software (Version: 100.0.206.000)
DJ_SF_03_D1500_Software_Min (Version: 100.0.206.000)
Download Updater (AOL LLC)
Dungeon Fighter Online
eSupportQFolder (Version: 1.00.0000)
Fraps
GameBox Toolbar
Google Chrome (Version: 18.0.1025.151)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.111)
GPBaseService (Version: 100.0.187.000)
Hardware Diagnostic Tools (Version: 5.1.4748.24)
Hewlett-Packard Active Check for Health Check (Version: 1.1.15.2)
Hewlett-Packard Asset Agent for Health Check (Version: 2.0.63.2)
Highlight Viewer (Windows Live Toolbar) (Version: 03.01.0146)
HP Active Support Library (Version: 3.1.0.6)
HP Customer Experience Enhancements (Version: 5.6.0.2510)
HP Customer Feedback (Version: 1.0.0)
HP Customer Participation Program 10.0 (Version: 10.0)
HP Demo (Version: HP Demo)
HP Deskjet 3050 J610 series Basic Device Software (Version: 22.50.231.0)
HP Deskjet 3050 J610 series Help (Version: 140.0.63.63)
HP Deskjet D1500 Printer Driver Software 10.0 Rel .3 (Version: 10.0)
HP Games (Version: 1.0.0.66)
HP Imaging Device Functions 10.0 (Version: 10.0)
HP Photo Creations (Version: 1.0.0.3781)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Smart Web Printing (Version: 3.5)
HP Solution Center 10.0 (Version: 10.0)
HP Total Care Advisor (Version: 2.1.3329.2629)
HP Update (Version: 4.000.007.003)
HPProductAssistant (Version: 100.0.170.000)
HPSSupply (Version: 100.0.170.000)
HPTCSSetup (Version: 1.0.964.2626)
ijji - Gunz
InterVideo DeviceService (Version: 1.0.0)
iTunes (Version: 10.5.0.142)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
Junk Mail filter update (Version: 14.0.8117.416)
LabelPrint (Version: 2.2.2529)
League of Legends (Version: 1.3)
LightScribe System Software 1.12.37.1 (Version: 1.12.37.1)
LightScribeTemplateLabeler (Version: 1.10.23.1)
Logitech Vid (Version: 1.70.1044)
Logitech Webcam Software (Version: 12.10.1113)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
Macromedia Extension Manager (Version: 1.7.240)
Macromedia Flash 8 (Version: 8.00.0000)
Macromedia Flash 8 Video Encoder (Version: 1.00.0000)
Mall Tycoon 2 (Version: 1.00)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Map Button (Windows Live Toolbar) (Version: 03.01.0146)
MapleStory
MarketResearch (Version: 100.0.170.000)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office Home and Student 60 day trial
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
MSVCRT (Version: 14.0.1468.721)
muvee autoProducer 6.1 (Version: 6.10.050)
Network Magic (Version: 4.1.7082.0)
Nexon Game Manager
Nokia Connectivity Cable Driver (Version: 6.80.5.1)
NVIDIA Drivers
OGPlanet Game Launcher (Version: 1.0.0)
ooVoo (Version: 3.0.4038)
Paint.NET v3.36 (Version: 3.36.0)
Pando Media Booster (Version: 2.3.0.8)
particleIllusion 3.0
particleIllusion 3.0.2
Power2Go (Version: 5.6.3917)
PSSWCORE (Version: 2.02.0000)
Python 2.5 (Version: 2.5.150)
QuickTime (Version: 7.69.80.9)
RangeBooster G WDA-2320 (Version: )
REACTOR (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5591)
Rumble Fighter
Shop for HP Supplies (Version: 10.0)
Smart Defrag 2 (Version: 2.1)
Smart Menus (Windows Live Toolbar) (Version: 03.01.0146)
SmartWebPrintingOC (Version: 100.0.189.000)
Snapfish Picture Mover (Version: 1.9.0.16)
Soft Data Fax Modem with SmartCP (Version: 7.74.00)
SolutionCenter (Version: 100.0.175.000)
Sony Media Manager 2.2 (Version: 2.2.93)
Sony Vegas 7.0 (Version: 7.0.151)
Status (Version: 100.0.175.000)
System Requirements Lab
TeamViewer 6 (Version: 6.0.10701)
Toolbox (Version: 100.0.170.000)
TrayApp (Version: 100.0.170.000)
UnloadSupport (Version: 10.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Vegas Pro 9.0 (Version: 9.0.896)
VideoToolkit01 (Version: 100.0.128.000)
Viewpoint Media Player
WebReg (Version: 100.0.170.000)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Family Safety (Version: 14.0.8118.427)
Windows Live Favorites for Windows Live Toolbar (Version: 03.01.0146)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Movie Maker (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Toolbar (Version: 14.0.8117.416)
Windows Live Toolbar Extension (Windows Live Toolbar) (Version: 03.01.0146)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
WinRAR archiver
WinZip 14.0 (Version: 14.0.9029)
Wisdom-soft AutoScreenRecorder 3.0 Free
Wisdom-soft Toolbar (Version: )

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 61%
Total physical RAM: 1917.76 MB
Available physical RAM: 743.59 MB
Total Pagefile: 4081.99 MB
Available Pagefile: 2630.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.06 MB

========================= Partitions: =====================================

1 Drive c: (Local Disk) (Fixed) (Total:455.6 GB) (Free:314.64 GB) NTFS
2 Drive d: (Backup Data) (Fixed) (Total:10.16 GB) (Free:1.38 GB) NTFS

========================= Users: ========================================

User accounts for \\LILYYU-PC

Administrator Guest Lily Yu
Me

========================= Minidump Files ==================================

No minidump file found

**** End of log ****


The results from Malwarebytes

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.07.08

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Me :: LILYYU-PC [administrator]

Protection: Enabled

4/7/2012 3:21:59 PM
mbam-log-2012-04-07 (15-21-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217951
Time elapsed: 19 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\AmdLLD.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\System32\AmdLLD.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 AM

Posted 07 April 2012 - 06:04 PM

Hi liishang,

IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan.

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say:
Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, please let me know if you wish to proceed with cleaning the malware from the computer?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users