1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Redirecting virus

Discussion in 'Malware and Virus Removal Archive' started by kyle, 2009/12/14.

  1. 2009/12/14
    kyle

    kyle Inactive Thread Starter

    Joined:
    2009/12/14
    Messages:
    1
    Likes Received:
    0
    [Active] Redirecting virus

    I ran a full scan multiple times with trend micro antivirus and its not finding anything at all. When I am on mozilla or internet explorer I get redirected to random websites. It doesn't just happen while searching on google and yahoo but also whenever I click a link on any other websites such as facebook, comcasts homepage and even my schools website. heres the logs:


    DDS (Ver_09-12-01.01) - NTFSX64
    Run by Kyle at 15:24:52.28 on Mon 12/14/2009
    Internet Explorer: 7.0.6002.18005
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5995 [GMT -8:00]

    AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k yksvcs
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Ati2evxx.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Windows\system32\agr64svc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
    C:\Windows\SysWOW64\srvany.exe
    C:\pvsw\bin\w3dbsmgr.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\MHotKey.exe
    C:\Windows\ChiFuncExt.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Windows\CNYHKey.exe
    C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\ModLedKey.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files\Gateway\Gateway Recovery Management\eRecoveryMain.exe
    C:\Program Files (x86)\uTorrent\uTorrent.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Kyle\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
    mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0609&m=dx4300
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_05\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [EA Core] "c:\program files (x86)\electronic arts\eadm\Core.exe" -silent
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\daemon.exe" -autorun
    uRun: [notepad] rundll32.exe c:\users\kyle\ntload.dll,_IWMPEvents@0
    mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre1.6.0_05\bin\jusched.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [Gateway Photo Frame] "c:\program files (x86)\gateway photo frame\ButtonMonitor.exe" -A
    mRun: [LchDrvKey] LchDrvKey.exe
    mRun: [LedKey] CNYHKey.exe
    mRun: [CLMLServer] "c:\program files (x86)\cyberlink\power2go\CLMLSvc.exe "
    mRun: [PeachtreePrefetcher.exe] "c:\progra~2\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
    mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe "
    StartupFolder: c:\users\kyle\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe
    StartupFolder: c:\users\kyle\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files (x86)\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\users\kyle\appdata\roaming\micros~1\windows\startm~1\programs\startup\roller~1.lnk - c:\users\kyle\appdata\local\temp\{c389e3d8-0c80-458b-acbe-888501a8accb}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
    StartupFolder: c:\users\kyle\appdata\roaming\micros~1\windows\startm~1\programs\startup\roller~2.lnk - c:\users\kyle\appdata\local\temp\{7117c00a-b058-455d-bf95-f367690db3bd}\{45653847-497f-47bb-a878-46fbde34a3e0}\ATR1.exe
    StartupFolder: c:\users\kyle\appdata\roaming\microsoft\windows\start menu\programs\startup\scandisk.dll
    StartupFolder: c:\users\kyle\appdata\roaming\micros~1\windows\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
    StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
    mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
    mRun-x64: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
    mRun-x64: [CanonSolutionMenu] "c:\program files (x86)\canon\solutionmenu\CNSLMAIN.exe" /logon
    mRun-x64: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\kyle\appdata\roaming\mozilla\firefox\profiles\q1gqq1vb.default\
    FF - plugin: c:\program files (x86)\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\kyle\appdata\roaming\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\users\kyle\appdata\roaming\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\users\kyle\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\syswow64\srvany.exe [2009-11-5 13864]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-8-24 42000]
    R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-8-24 900360]
    R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2008-1-20 27648]
    R3 cxpl_mhd;CX23885/8 PCI-E AvStream Video Capture (PalomarMHD);c:\windows\system32\drivers\y_cx88x.sys [2009-3-23 676992]
    R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\drivers\RTL85n64.sys [2009-4-9 444960]
    R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2009-1-8 405504]
    S2 Norton Internet Security;Norton Internet Security; "c:\program files (x86)\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files (x86)\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files (x86)\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
    S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
    S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
    S4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [2009-4-9 225296]

    =============== Created Last 30 ================

    2009-12-10 00:27:31 0 d-----w- c:\users\kyle\appdata\roaming\SPORE
    2009-12-09 11:00:36 32768 ----a-w- c:\windows\system32\nshhttp.dll
    2009-12-09 11:00:36 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
    2009-12-09 11:00:35 620032 ----a-w- c:\windows\system32\drivers\http.sys
    2009-12-09 11:00:35 33792 ----a-w- c:\windows\system32\httpapi.dll
    2009-12-09 11:00:34 30720 ----a-w- c:\windows\syswow64\httpapi.dll
    2009-12-03 18:19:05 0 d-----w- c:\program files\iPod
    2009-12-03 18:19:04 0 d-----w- c:\program files\iTunes
    2009-12-01 03:22:30 0 d-----w- c:\users\kyle\appdata\roaming\Research In Motion
    2009-12-01 03:22:01 0 d-----w- c:\program files (x86)\common files\Research In Motion
    2009-11-25 11:00:58 2048 ----a-w- c:\windows\syswow64\tzres.dll
    2009-11-25 11:00:58 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-11-24 18:18:08 1869824 ----a-w- c:\windows\system32\msxml3.dll
    2009-11-24 18:18:07 1797120 ----a-w- c:\windows\system32\msxml6.dll
    2009-11-24 18:18:06 1401856 ----a-w- c:\windows\syswow64\msxml6.dll
    2009-11-24 18:18:06 1248768 ----a-w- c:\windows\syswow64\msxml3.dll
    2009-11-24 18:18:04 880640 ----a-w- c:\windows\system32\timedate.cpl
    2009-11-24 18:18:03 714240 ----a-w- c:\windows\syswow64\timedate.cpl

    ==================== Find3M ====================

    2009-12-02 20:34:00 51200 ----a-w- c:\windows\inf\infpub.dat
    2009-12-02 20:33:59 143360 ----a-w- c:\windows\inf\infstrng.dat
    2009-12-02 20:33:57 86016 ----a-w- c:\windows\inf\infstor.dat
    2009-11-04 11:09:33 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-11-04 11:09:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2009-11-04 11:09:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2009-11-03 04:42:06 226688 ------w- c:\windows\system32\MpSigStub.exe
    2009-10-27 14:25:02 1032192 ----a-w- c:\windows\system32\wininet.dll
    2009-10-27 14:11:14 834048 ----a-w- c:\windows\syswow64\wininet.dll
    2009-10-27 14:11:02 1176064 ----a-w- c:\windows\syswow64\urlmon.dll
    2009-10-27 14:09:22 3599872 ----a-w- c:\windows\syswow64\mshtml.dll
    2009-10-27 14:08:37 6079488 ----a-w- c:\windows\syswow64\ieframe.dll
    2009-10-27 14:08:37 180736 ----a-w- c:\windows\syswow64\ieui.dll
    2009-10-27 14:08:36 380928 ----a-w- c:\windows\syswow64\ieapfltr.dll
    2009-10-27 13:41:03 86528 ----a-w- c:\windows\system32\ieencode.dll
    2009-10-27 13:16:28 78336 ----a-w- c:\windows\syswow64\ieencode.dll
    2009-10-24 06:39:36 190216 ----a-w- c:\windows\syswow64\PnkBstrB.exe
    2009-10-08 21:08:04 736256 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2009-10-08 21:08:01 555520 ----a-w- c:\windows\syswow64\UIAutomationCore.dll
    2009-10-08 21:08:01 234496 ----a-w- c:\windows\syswow64\oleacc.dll
    2009-10-08 21:07:59 4096 ----a-w- c:\windows\syswow64\oleaccrc.dll
    2009-10-08 21:07:58 315904 ----a-w- c:\windows\system32\oleacc.dll
    2009-10-08 21:07:54 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2009-10-07 12:20:17 280576 ----a-w- c:\windows\system32\rastls.dll
    2009-10-07 11:36:36 243712 ----a-w- c:\windows\syswow64\rastls.dll
    2009-10-04 19:42:11 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2009-10-01 01:02:17 2537472 ----a-w- c:\windows\syswow64\wpdshext.dll
    2009-10-01 01:02:05 30208 ----a-w- c:\windows\syswow64\WPDShextAutoplay.exe
    2009-10-01 01:02:04 334848 ----a-w- c:\windows\syswow64\PortableDeviceApi.dll
    2009-10-01 01:02:02 87552 ----a-w- c:\windows\syswow64\WPDShServiceObj.dll
    2009-10-01 01:01:59 160256 ----a-w- c:\windows\syswow64\PortableDeviceTypes.dll
    2009-10-01 01:01:56 60928 ----a-w- c:\windows\syswow64\PortableDeviceConnectApi.dll
    2009-10-01 01:01:56 350208 ----a-w- c:\windows\syswow64\WPDSp.dll
    2009-10-01 01:01:56 196608 ----a-w- c:\windows\syswow64\PortableDeviceWMDRM.dll
    2009-10-01 01:01:56 100864 ----a-w- c:\windows\syswow64\PortableDeviceClassExtension.dll
    2009-10-01 00:52:29 2727936 ----a-w- c:\windows\system32\wpdshext.dll
    2009-10-01 00:52:10 453120 ----a-w- c:\windows\system32\PortableDeviceApi.dll
    2009-10-01 00:52:02 34816 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
    2009-10-01 00:51:59 110080 ----a-w- c:\windows\system32\WPDShServiceObj.dll
    2009-10-01 00:51:56 37888 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
    2009-10-01 00:51:54 573440 ----a-w- c:\windows\system32\wpd_ci.dll
    2009-10-01 00:51:50 433152 ----a-w- c:\windows\system32\WPDSp.dll
    2009-10-01 00:51:46 218624 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
    2009-10-01 00:51:45 77824 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
    2009-10-01 00:51:45 113152 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
    2009-10-01 00:51:40 295936 ----a-w- c:\windows\system32\WpdMtp.dll
    2009-10-01 00:51:40 107008 ----a-w- c:\windows\system32\wpdbusenum.dll
    2009-10-01 00:51:34 214528 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
    2009-10-01 00:51:33 75264 ----a-w- c:\windows\system32\WpdMtpUS.dll
    2009-10-01 00:51:32 37376 ----a-w- c:\windows\system32\WpdConns.dll
    2009-10-01 00:13:46 178800 ----a-w- c:\windows\syswow64\CmdLineExt_x64.dll
    2009-09-27 02:19:43 4608 ----a-w- c:\windows\syswow64\w95inf32.dll
    2009-09-27 02:19:43 2272 ----a-w- c:\windows\syswow64\w95inf16.dll
    2009-09-25 02:27:43 1209856 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2009-09-25 02:10:10 974848 ----a-w- c:\windows\syswow64\WindowsCodecs.dll
    2009-09-25 02:10:01 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2009-09-25 02:09:10 411648 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2009-09-25 02:07:08 189440 ----a-w- c:\windows\syswow64\WindowsCodecsExt.dll
    2009-09-25 02:04:32 321024 ----a-w- c:\windows\syswow64\PhotoMetadataHandler.dll
    2009-09-25 02:00:39 3068416 ----a-w- c:\windows\system32\xpsservices.dll
    2009-09-25 01:56:42 643072 ----a-w- c:\windows\system32\XpsPrint.dll
    2009-09-25 01:49:22 1554432 ----a-w- c:\windows\syswow64\xpsservices.dll
    2009-09-25 01:48:08 351232 ----a-w- c:\windows\syswow64\XpsPrint.dll
    2009-09-25 01:40:43 1461760 ----a-w- c:\windows\system32\OpcServices.dll
    2009-09-25 01:40:07 470016 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2009-09-25 01:39:09 231936 ----a-w- c:\windows\system32\XpsRasterService.dll
    2009-09-25 01:38:29 847360 ----a-w- c:\windows\syswow64\OpcServices.dll
    2009-09-25 01:36:16 262656 ----a-w- c:\windows\system32\dxdiagn.dll
    2009-09-25 01:36:13 280064 ----a-w- c:\windows\syswow64\XpsGdiConverter.dll
    2009-09-25 01:36:08 1548800 ----a-w- c:\windows\system32\d3d10warp.dll
    2009-09-25 01:35:49 328192 ----a-w- c:\windows\system32\dxdiag.exe
    2009-09-25 01:35:48 449024 ----a-w- c:\windows\system32\WMPhoto.dll
    2009-09-25 01:35:31 135680 ----a-w- c:\windows\syswow64\XpsRasterService.dll
    2009-09-25 01:34:58 1269248 ----a-w- c:\windows\system32\d3d10.dll
    2009-09-25 01:33:48 792576 ----a-w- c:\windows\system32\d3d11.dll
    2009-09-25 01:33:25 195584 ----a-w- c:\windows\syswow64\dxdiagn.dll
    2009-09-25 01:33:15 829440 ----a-w- c:\windows\syswow64\d3d10warp.dll
    2009-09-25 01:33:01 369664 ----a-w- c:\windows\syswow64\WMPhoto.dll
    2009-09-25 01:32:59 252928 ----a-w- c:\windows\syswow64\dxdiag.exe
    2009-09-25 01:32:22 566272 ----a-w- c:\windows\system32\d3d10level9.dll
    2009-09-25 01:31:53 519680 ----a-w- c:\windows\syswow64\d3d11.dll
    2009-09-25 01:31:53 196608 ----a-w- c:\windows\system32\d3d10_1.dll
    2009-09-25 01:31:51 326656 ----a-w- c:\windows\system32\d3d10_1core.dll
    2009-09-25 01:31:47 625664 ----a-w- c:\windows\system32\dxgi.dll
    2009-09-25 01:31:41 287744 ----a-w- c:\windows\system32\d3d10core.dll
    2009-09-25 01:31:36 981504 ----a-w- c:\windows\system32\d2d1.dll
    2009-09-25 01:31:26 486912 ----a-w- c:\windows\syswow64\d3d10level9.dll
    2009-09-25 01:31:21 161280 ----a-w- c:\windows\syswow64\d3d10_1.dll
    2009-09-25 01:31:19 218112 ----a-w- c:\windows\syswow64\d3d10_1core.dll
    2009-09-25 01:31:16 1030144 ----a-w- c:\windows\syswow64\d3d10.dll
    2009-09-25 01:31:15 828928 ----a-w- c:\windows\syswow64\d2d1.dll
    2009-09-25 01:30:23 481792 ----a-w- c:\windows\syswow64\dxgi.dll
    2009-09-25 01:30:23 190464 ----a-w- c:\windows\syswow64\d3d10core.dll
    2009-09-25 01:27:04 1064448 ----a-w- c:\windows\syswow64\DWrite.dll
    2009-09-25 01:26:38 47616 ----a-w- c:\windows\system32\cdd.dll
    2009-09-25 01:26:26 1548800 ----a-w- c:\windows\system32\DWrite.dll
    2009-09-25 01:26:26 1142272 ----a-w- c:\windows\system32\FntCache.dll
    2009-09-24 22:54:55 258048 ----a-w- c:\windows\syswow64\winspool.drv
    2009-09-23 20:23:39 18814 ----a-w- c:\windows\syswow64\ealregsnapshot1.reg
    2009-09-23 01:45:12 75064 ----a-w- c:\windows\syswow64\PnkBstrA.exe

    ============= FINISH: 15:25:14.94 ===============

    DDS (Ver_09-12-01.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/26/2009 2:39:28 AM
    System Uptime: 12/14/2009 1:03:59 PM (2 hours ago)

    Motherboard: Gateway | | RS780
    Processor: AMD Phenom(tm) 9750 Quad-Core Processor | AM2 | 2400/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 917 GiB total, 732.448 GiB free.
    D: is Removable
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is CDROM (CDFS)
    J: is CDROM (UDF)
    K: is CDROM ()
    L: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0004
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #3
    PNP Device ID: ROOT\*6TO4MP\0004
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0005
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #4
    PNP Device ID: ROOT\*6TO4MP\0005
    Service: tunnel

    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&2A700557&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&2A700557&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP284: 12/14/2009 12:09:06 PM - Installed ParetoLogic Anti-Virus PLUS.
    RP285: 12/14/2009 3:08:11 PM - Windows Update

    ==== Installed Programs ======================

    µTorrent
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9
    Adobe Shockwave Player 11.5
    AMD LIVE! Explorer
    Apple Application Support
    Apple Software Update
    Battlefield 2(TM)
    Battlefield 2: Special Forces
    Battlefield 2142 Deluxe Edition
    BlackBerry Device Software Updater
    Borderlands
    Business Contact Manager for Outlook 2007 SP2
    Canon MP Navigator EX 2.0
    Canon MP240 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-core-static
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Norwegian
    CCC Help Spanish
    CCC Help Swedish
    Choice Guard
    Comcast High-Speed Internet Install Wizard
    Command & Conquer 3
    Command & Conquerâ„¢ 3: Kane's Wrath
    Command & Conquerâ„¢ Red Alertâ„¢ 3
    Compatibility Pack for the 2007 Office system
    CyberLink Power2Go
    DAEMON Tools Toolbar
    EA Download Manager
    Gateway Games
    Gateway Photo Frame 4.2.3.6
    Gateway Recovery Management
    Gateway ScreenSaver
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ImgBurn
    Inkjet Printer/Scanner Extended Survey Program
    Java(TM) 6 Update 5
    Junk Mail filter update
    KB0817 Keyboard Driver
    LimeWire 5.2.13
    Magic ISO Maker v5.5 (build 0276)
    MagicDisc 2.7.106
    Marvell Miniport Driver
    Microsoft Money Essentials
    Microsoft Money Shared Libraries
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Subscription
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Standard 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Setup Support Files (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works
    Move Media Player
    Mozilla Firefox (3.5.5)
    MSVCRT
    NVIDIA PhysX v8.10.29
    Peachtree Accounting 2008
    Peachtree Complete Accounting 2008
    Peachtree Complete Accounting Educational Version 2008
    PeachTree Signature Ready Forms
    Pervasive Software PSQL v9.1 Client
    Pervasive System Analyzer v9.1
    PunkBuster Services
    QuickTime
    RCT3 Soaked
    Realtek High Definition Audio Driver
    RollerCoaster Tycoon® 3
    Sage Software Integration Services
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Sims2Pack Clean Installer
    Skins
    SPOREâ„¢
    SPOREâ„¢ Creepy & Cute Parts Pack
    TextPad 5
    The Sims 2 Family Fun Stuff
    The Sims 2 Glamour Life Stuff
    The Sims 2 Open For Business
    The Sims 2 Pets
    The Sims 2 University
    The Simsâ„¢ 2 Apartment Life
    The Simsâ„¢ 2 Bon Voyage
    The Simsâ„¢ 2 Celebration! Stuff
    The Simsâ„¢ 2 Deluxe
    The Simsâ„¢ 2 FreeTime
    The Simsâ„¢ 2 H&M® Fashion Stuff
    The Simsâ„¢ 2 IKEA® Home Stuff
    The Simsâ„¢ 2 Kitchen & Bath Interior Design Stuff
    The Simsâ„¢ 2 Mansion and Garden Stuff
    The Simsâ„¢ 2 Seasons
    The Simsâ„¢ 2 Teen Style Stuff
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb976884)
    VLC media player 1.0.1
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Xilisoft 3GP Video Converter

    ==== Event Viewer Messages From Past Week ========

    12/9/2009 3:02:17 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    12/9/2009 3:02:17 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/9/2009 3:02:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/14/2009 8:38:26 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Microsoft Word - 370 - QuestionsEmployersMayAsk, owned by Kyle, failed to print on printer Canon MP240 series Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 1703936. Number of bytes printed: 1628372. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\KYLESCOMPUTER. Win32 error code returned by the print processor: 1. Incorrect function.
    12/14/2009 11:14:21 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {E579AB5F-1CC4-44B4-BED9-DE0991FF0623} to the user KylesComputer\Kyle SID (S-1-5-21-1244740279-961540612-1906324143-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    12/14/2009 1:05:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
    12/14/2009 1:05:24 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
    12/10/2009 12:04:05 PM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Microsoft Word - Document1, owned by Kyle, failed to print on printer Canon MP240 series Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 65536. Number of bytes printed: 11816. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\KYLESCOMPUTER. Win32 error code returned by the print processor: 1. Incorrect function.

    ==== End Of File ===========================
     
    kyle,
    #1
  2. 2009/12/14
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I see you have P2P software ( Limewire, BitTorrent, uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2009/12/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    ******************************************************************************************
    Due to a bug in Malwarebytes, you may see in MBAM's log following entries:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit)
    DO NOT remove those entries!
    If you do, your computer will become UN-bootable.
    The issue has been fixed in the latest MBAM update, so, it's EXTREMELY important, you update MBAM before you run it.
    ****************************************************************************************

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...