Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect exists after two wipes; Avast keeps closing out puma websites?


  • This topic is locked This topic is locked
53 replies to this topic

#1 CaryHM

CaryHM

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 04 June 2012 - 12:34 PM

Here is my original post and my logs. Thank you! :

I had noticed I was being redirected in my internet searches and even redirected when I typed the website directly into the address bar, so I did an AVG scan which came back with three threats, two of which I could not remove. For some reason I couldn't even reformat my hard drive with my install disk. I have reformatted a couple different computers in the past and was familiar with the process. I ended up taking the laptop (Dell Inspiron 1545, Win7 64 bit) to the shop where they had it for three weeks, removing about 900 viruses, but even they could not remove the redirect virus after multiple attempts. They wiped the hard drive clean, sent it back to me, and it immediately started doing the same thing, within a few minutes of being online. The guys at the shop said it sounded like my IP was being attacked, mainly because in about 8 minutes my received bytes was over 60 million (I don't know if this is normal or not) without me doing anything but surfing. So they took it again and did another wipe free of charge, installing Avast, Comodo Firewall, and even PeerBlock. In the meantime, I unplugged my cable modem overnight, and got a new modem from my ISP to change my IP address. (I should mention it included a wireless router, as did the last one. We have a total of 3 computers on the network.)

Later that day, my computer was ready. The computer guys said that it wasn't redirecting them at their store with their wi-fi after both their wipes. It immediately started redirecting me again at home, as well as PeerBlock showing about ten sites a second being listed, most of which were allowed and not blocked. In fact, very few were blocked. I'm not sure if PeerBlock is really reputable or not, judging from things I've read online. It seems as though it's showing me all activity but most of which is either not malicious, or if it is malicious, they still don't block it. Either way, why would I need it? I still have 89.5 million received bytes right now being online for 47 minutes and 4.7 million sent. This and PeerBlock are what confuse me most. I'm not sure if either of these is reliable in telling me my IP is being attacked. Avast does pop up that malicious sites are being blocked, anywhere from 4 to 10 an hour at present. According to my tech guys, it's possible for my IP to be attacked, and to have viruses on the other two computers, that re-infected my newly wiped computer even after an IP address change. (Neither computer was on or connected online when I brought it home the second time to try it out). Does this sound right to anyone? Or are my computer guys full of it? I heard of one guy wiping his hard drive and a redirect virus still being present (or a trojan or whatever it was). I can't verify if this is true. The other two computers show about the same bytes sent/received. PeerBlock was installed on my husband's laptop also, and it shows the same traffic as my laptop. But neither of them show any sign of the redirect virus. An Avast scan of my husband's laptop also comes back clean. It seems it's mainly my computer with signs of infection (redirecting), although an Avast scan of my drive also comes back clean. The byte traffic and PeerBlock traffic are the same for both my and my husband's laptop. I've started looking more closely at the sites Avast is blocking and it's always been somethingpuma.com, for example finderpuma or stopsmokingpuma. I have seen others report this on here as well. If my computer guys are right, how can I fix this short of getting a new ISP, buying a new computer, wiping the other two hard drives and prayer?



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Cary at 12:15:37 on 2012-06-04
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.834 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Program Files (x86)\Comodo\Dragon\dragon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
StartupFolder: C:\Users\CARY~1.CAR\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
TCP: Interfaces\{EDEC2254-1210-4773-913E-7252D48E036A} : DhcpNameServer = 192.168.2.5
TCP: Interfaces\{F387517E-7C71-421B-B443-C805AE0BB587} : DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
TCP: Interfaces\{F387517E-7C71-421B-B443-C805AE0BB587}\14075687 : DhcpNameServer = 192.168.1.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce-x64: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cary.Cary-PC\AppData\Roaming\Mozilla\Firefox\Profiles\dsf5cmw4.default\
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-6-1 44768]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-4-22 660800]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-6-1 24176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 136176]
S2 McShield;McAfee Real-time Scanner;C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe --> C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 136176]
S3 McSysmon;McAfee SystemGuards;C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe --> C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-2 129976]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-06-04 08:01:59 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-06-04 08:01:57 678912 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll
2012-06-04 08:01:56 887296 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
2012-06-04 03:38:00 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Microsoft Games
2012-06-03 03:29:06 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Mozilla
2012-06-03 03:01:09 52224 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2012-06-03 03:01:09 324608 ----a-w- C:\Windows\System32\drivers\usbport.sys
2012-06-03 03:01:08 99328 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2012-06-03 03:01:08 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2012-06-03 03:01:07 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2012-06-03 03:01:07 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2012-06-03 03:01:07 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2012-06-03 03:00:56 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-06-03 03:00:55 2566144 ----a-w- C:\Windows\System32\esent.dll
2012-06-03 03:00:54 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2012-06-03 03:00:54 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2012-06-03 03:00:54 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2012-06-03 03:00:53 1686016 ----a-w- C:\Windows\SysWow64\esent.dll
2012-06-03 03:00:52 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2012-06-03 03:00:52 187264 ----a-w- C:\Windows\System32\drivers\storport.sys
2012-06-03 03:00:51 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2012-06-03 03:00:50 96768 ----a-w- C:\Windows\System32\fsutil.exe
2012-06-03 03:00:50 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2012-06-02 09:50:51 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F06CE483-D7ED-4E22-9BD2-A27679D54E77}\offreg.dll
2012-06-02 09:07:20 -------- d-----w- C:\Windows\SysWow64\Wat
2012-06-02 09:07:20 -------- d-----w- C:\Windows\System32\Wat
2012-06-02 08:39:55 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2012-06-02 08:39:54 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2012-06-02 08:18:00 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2012-06-02 08:18:00 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2012-06-02 08:17:59 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2012-06-02 08:17:59 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2012-06-02 08:17:59 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2012-06-02 08:17:58 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2012-06-02 08:17:58 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2012-06-02 08:17:57 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2012-06-02 08:17:57 444752 ----a-w- C:\Windows\System32\mscoree.dll
2012-06-02 08:17:56 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2012-06-02 08:04:21 80896 ----a-w- C:\Windows\System32\imagehlp.dll
2012-06-02 08:04:21 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-06-02 08:04:20 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-06-02 08:04:20 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-06-02 08:04:19 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-06-02 08:04:18 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-06-02 08:04:18 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-06-02 08:01:33 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2012-06-01 21:51:59 2870272 ----a-w- C:\Windows\explorer.exe
2012-06-01 21:49:56 552960 ----a-w- C:\Windows\System32\msdri.dll
2012-06-01 21:48:45 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2012-06-01 21:48:44 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2012-06-01 21:48:43 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2012-06-01 21:48:43 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2012-06-01 21:48:38 52224 ----a-w- C:\Windows\System32\rtutils.dll
2012-06-01 21:48:38 37376 ----a-w- C:\Windows\SysWow64\rtutils.dll
2012-06-01 21:48:14 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2012-06-01 21:48:12 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-06-01 21:48:12 367104 ----a-w- C:\Windows\System32\atmfd.dll
2012-06-01 21:48:12 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-06-01 21:48:12 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-06-01 21:46:47 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2012-06-01 21:45:58 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2012-06-01 21:44:58 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2012-06-01 21:43:55 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-06-01 21:30:42 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Apps
2012-06-01 21:30:41 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Deployment
2012-06-01 21:30:32 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-01 21:30:32 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-01 21:30:32 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-01 21:30:11 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-06-01 21:30:11 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-06-01 21:29:43 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-06-01 21:29:42 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-06-01 21:29:42 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-06-01 21:29:42 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-01 21:28:00 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-06-01 17:18:17 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Comodo
2012-06-01 17:18:05 54024 ----a-w- C:\Windows\System32\certsentry.dll
2012-06-01 17:18:05 45320 ----a-w- C:\Windows\SysWow64\certsentry.dll
2012-06-01 16:47:07 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F06CE483-D7ED-4E22-9BD2-A27679D54E77}\mpengine.dll
2012-06-01 16:47:05 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-06-01 15:27:13 -------- d-----w- C:\ProgramData\Comodo
2012-06-01 15:12:08 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\ElevatedDiagnostics
2012-06-01 14:56:15 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-06-01 14:56:15 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-06-01 14:55:36 41184 ----a-w- C:\Windows\avastSS.scr
2012-06-01 14:54:48 -------- d-----w- C:\ProgramData\CPA_VA
2012-06-01 14:41:57 -------- d-----w- C:\ProgramData\AVAST Software
2012-06-01 14:41:57 -------- d-----w- C:\Program Files\AVAST Software
2012-06-01 14:40:25 -------- d-----w- C:\Program Files\COMODO
2012-06-01 14:40:21 -------- d-----w- C:\Program Files\PeerBlock
2012-06-01 14:39:56 -------- d-----w- C:\Program Files (x86)\Comodo
2012-06-01 14:39:54 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
2012-06-01 14:36:56 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-06-01 14:13:43 -------- d-----w- C:\Program Files (x86)\Foxit Software
2012-06-01 14:12:50 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Google
2012-05-31 16:54:12 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Roaming\Dell
2012-05-31 16:53:52 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\Stardock_Corporation
2012-05-31 16:53:40 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\DataSafeOnline
2012-05-31 16:53:20 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\SupportSoft
2012-05-31 16:51:56 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-31 16:51:53 -------- d-----w- C:\Users\Cary.Cary-PC\AppData\Local\VirtualStore
2012-05-31 15:50:55 -------- d-----w- C:\Windows\SMINST
.
==================== Find3M ====================
.
2012-04-02 05:34:04 5504880 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-02 04:46:44 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-02 04:46:44 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-02 03:01:19 3143680 ----a-w- C:\Windows\System32\win32k.sys
2012-03-30 11:09:53 1895280 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-03-17 07:55:58 75632 ----a-w- C:\Windows\System32\drivers\partmgr.sys
.
============= FINISH: 12:27:36.43 ===============

Attached File  Attach.txt   15.06KB   0 downloads

Edited by boopme, 07 June 2012 - 12:42 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 08 June 2012 - 08:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 08 June 2012 - 11:09 PM

Yes I'm here and super excited/thankful for any instruction!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 09 June 2012 - 03:54 AM

Your symptoms sound like rootkit activity is present.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 09 June 2012 - 07:09 AM

Here is my log. If you see any reason why I should change ISP's or email, please let me know. I can't imagine how I can get re-infected so quickly after a wipe. My email is yahoo, but the guy at the shop said it was possible to get it through there, even though I don't click on spam emails or links?

Attached File  aswMBR.txt   1.91KB   1 downloads

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 09 June 2012 - 02:25 PM

We'll take a look at the system first then see if your router has been infected

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 09 June 2012 - 08:50 PM

Sorry it took me so long. I had some trouble running it, then realized I didn't have Avast completely disabled. I don't know if Comodo was also a problem, because it has never shown up in my system tray. In fact, whenever I've tried to "open" the program, I only have two options: uninstall or clicking on the Comodo icon in programs just takes me to their site. So I'm not sure if it was actually ever running or not. Since I was having problems running Combofix, I uninstalled it. Maybe it was a coincidence, but it finally let me run Combofix. It took over thirty minutes to run and over twenty mins to run a report. When it rebooted, PeerBlock automatically came back on till I disabled it again. Hope that didn't affect anything.

Attached Files


Edited by CaryHM, 09 June 2012 - 08:52 PM.


#8 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 09 June 2012 - 10:01 PM

Also, just wanted to say I saw that I have Windows Defender enabled in my log? I didn't know anything about it. I was going to rerun the combofix after disabling it, but the instructions on how to disable it in Windows 7 won't play if I don't download Silverlight, and I know I'm not supposed to download anything new. If it's a problem that it was enabled, just let me know how to turn it off, and I'll re-run Combofix. Thanks.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 10 June 2012 - 07:39 AM

Please run FSS next

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check all boxes
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#10 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 10 June 2012 - 07:53 AM

Farbar Service Scanner Version: 09-06-2012
Ran by Cary (administrator) on 10-06-2012 at 07:52:05
Running from "C:\Users\Cary.Cary-PC\Downloads"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-06-01 16:46] - [2011-12-27 22:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-06-01 16:44] - [2012-03-30 06:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 19:09] - [2009-07-13 20:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 18:36] - [2009-07-13 20:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 19:36] - [2009-07-13 20:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 10 June 2012 - 08:20 AM

Please attempt to reconnect using the instructions below

Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.
After that, Reboot your computer.


After the reboot, we will reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
After that, Reboot your computer and see if you have regained your connection.
Posted Image
m0le is a proud member of UNITE

#12 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 10 June 2012 - 09:18 AM

I'm on another computer at the moment....when adding the tcp/ip back, do I want the version 4 or version 6? (tcp/ipv4 or tcp/ipv6)

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 10 June 2012 - 09:21 AM

Use 4
Posted Image
m0le is a proud member of UNITE

#14 CaryHM

CaryHM
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 10 June 2012 - 09:26 AM

I was able to get back on.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 10 June 2012 - 09:29 AM

Good. Please run FSS again and post the log
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users