PDA

View Full Version : redirecting issues, viruses



addieto
2010-06-08, 00:19
Hi Helpers

I've been having website redirecting issues and other viruses popping up. It also seems to be not allowing me to send mail through webmail. Here is my DDS log -- any help would be great! thanks so much,
Adam

DDS (Ver_10-03-17.01) - NTFSx86
Run by Adam at 17:05:11.71 on Mon 06/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -4:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Opera.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226881889609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 93.188.162.55,93.188.161.185
TCP: {229940A4-D4D7-4E45-940F-823F1EF71F1C} = 93.188.162.55,93.188.161.185
TCP: {6B10D9B9-1B2C-4449-8440-4956197A3A0A} = 93.188.162.55,93.188.161.185
TCP: {B3EB3D98-19BA-46E3-B8F2-31BAFB60A973} = 93.188.162.55,93.188.161.185
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-6 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-6 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-6 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-6 60936]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-8 135664]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2008-11-16 32384]

=============== Created Last 30 ================

2010-06-07 02:01:00 0 d-----w- c:\windows\system32\NtmsData
2010-06-07 01:36:59 0 d-----w- c:\docume~1\admini~1\applic~1\Avira
2010-06-07 01:14:55 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-07 01:14:24 0 d-----w- c:\program files\Avira
2010-06-07 01:14:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-06-06 23:59:13 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-06 23:56:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-06 23:47:38 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8(2)
2010-06-06 13:06:45 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-06-06 13:06:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-06 03:46:32 75264 ----a-w- c:\windows\system32\ernel32.dll
2010-06-06 03:46:13 75264 ----a-w- c:\docume~1\admini~1\applic~1\83c8e925.exe
2010-06-06 03:45:36 0 d-----w- c:\docume~1\admini~1\applic~1\C28DA6D0C3353575AC6A13EB7082A225
2010-06-04 13:55:18 0 d-----w- c:\docume~1\admini~1\applic~1\webex
2010-05-18 13:01:51 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2004-03-11 18:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-01-08 16:17:23 16384 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2010-01-08 16:17:23 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-07-25 16:02:55 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072520090726\index.dat
2010-01-08 16:17:23 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17:07:22.54 ===============

Dakeyras
2010-06-11, 01:26
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.Hi addieto and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

SUPERAntiSpyware Advice:

CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif).

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Double click on Rkill.
A command window will open then disappear upon completion, this is normal.
Please leave Rkill on the Desktop until otherwise advised.
Note: A logfile will have been created, it can be located at the root of your installed Hard-Drive. EG: C:\rkill.txt.

Scan with RSIT:

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!

Double-click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?
RKill Log.
Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.

Dakeyras
2010-06-14, 17:18
Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.