user59
-
Posts
6 -
Joined
-
Last visited
-
The redirects have stopped since I deleted the rogue scheduled task 2 days ago. I have attached the log files from the 2 processes, hijackthis.log checkup.txt
-
Hi Maurice I ran the scan : here is the logfile : Malwarebytes Anti-Malware (Trial) 1.60.0.1800 www.malwarebytes.org Database version: v2012.01.04.04 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 8.0.6001.19170 Kev :: KEV-LAPTOP [administrator] Protection: Enabled 04/01/2012 19:51:51 mbam-log-2012-01-04 (19-51-51).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 346637 Time elapsed: 48 minute(s), 38 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
I read another post which advised using hijackthis to generate a logfile of all startup programs. This showed I had a scheduled task called lzuylpn. I stopped, disabled and deleted then rebooted. It now appears to be working ok.
-
Hi Maurice, I forgot to confirm - I am not getting help anywhere else with this. Regards Kev
-
Hi thanks for the reply. I ran the malwarebytes scan which did not find anything then I ran hijack this as it seemed to be one of the first diagnostic steps in this type of issue. I have now run the dds script : . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_29 Run by Kev at 12:41:16 on 2012-01-02 Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2047.484 [GMT 0:00] . AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C} SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c3f58890\STacSV.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\system32\taskeng.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k bthsvcs C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\DellTPad\Apoint.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\IDT\WDM\sttray.exe C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe C:\Program Files\Trend Micro\Browser Guard\BGUI.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe C:\Program Files\Intel\AMT\LMS.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com mStart Page = hxxp://search.myheritage.com BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll BHO: GretechBHO Class: {f0181c6e-9218-4792-9f3c-e8df52b2f1ac} - c:\program files\gretech\gompicker\GomPickerBHO.dll BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard\TMAMS.dll TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard\tmieg.dll TB: {37483B40-C254-4A72-BDA4-22EE90182C1E} - No File mRun: [Apoint] c:\program files\delltpad\Apoint.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe mRun: [Trend Micro Browser Guard] "c:\program files\trend micro\browser guard\BGUI.EXE" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105 IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.2.0.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 194.168.4.100 194.168.8.100 TCP: Interfaces\{370DC991-BA72-4B43-B9B4-0BE0C1C6E998} : DhcpNameServer = 194.168.4.100 194.168.8.100 TCP: Interfaces\{FEA20FED-107C-4DAB-841B-787F0A736224} : NameServer = 192.168.0.148 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\kev.holovis\appdata\roaming\mozilla\firefox\profiles\u20cei44.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.info.co.uk/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&q= FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin2.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin3.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin4.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin5.dll FF - plugin: c:\program files\foxit software\foxit reader\plugins\npqtplugin6.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll . ============= SERVICES / DRIVERS =============== . R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328] R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584] R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2011-6-29 122360] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-2 652872] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704] R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2012-1-1 439632] R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-6-29 163056] R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-6-29 97520] R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-6-29 282624] R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640] R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-6-29 806912] R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-6-29 1541360] R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2011-6-29 2062872] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2011-6-28 223432] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2011-6-29 127488] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-2 20464] R3 NETwNv32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwNv32.sys [2011-8-3 7341568] R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-6 133632] R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-8 280096] S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-6-28 29736] S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-6-29 101120] S3 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-11-9 132464] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-7 21520] S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-6-29 23928] S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-10-20 121064] S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-10-20 12776] S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-10-20 136808] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c3f58890\AEstSrv.exe [2011-6-29 81920] S4 avediaChannelListener;avediaChannelListener;c:\program files\exterity\avedia channel listener\avediaChannelListener.exe [2007-4-12 90112] S4 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-6-29 1737464] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-6-29 22536] S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-10-25 2358656] S4 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2011-12-2 2923392] . =============== Created Last 30 ================ . 2012-01-02 10:06:48 -------- d-sh--w- C:\$RECYCLE.BIN 2012-01-02 10:06:44 -------- d-----w- c:\users\kev.holovis\appdata\local\temp 2012-01-02 09:54:43 98816 ----a-w- c:\windows\sed.exe 2012-01-02 09:54:43 208896 ----a-w- c:\windows\MBR.exe 2012-01-02 00:21:03 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Malwarebytes 2012-01-02 00:20:56 -------- d-----w- c:\programdata\Malwarebytes 2012-01-02 00:20:53 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-01-02 00:20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-01-01 22:24:08 388096 ----a-r- c:\users\kev.holovis\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2012-01-01 22:06:58 -------- d-----w- c:\programdata\Trend Micro 2012-01-01 22:01:46 -------- d-----w- c:\users\kev.holovis\appdata\local\Browser Guard 2012-01-01 21:56:41 -------- d-----w- c:\program files\WinPcap 2012-01-01 21:56:12 -------- d-----w- c:\program files\Trend Micro 2011-12-28 10:51:28 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-12-28 10:51:00 -------- d-----w- c:\programdata\Hitman Pro 2011-12-28 10:49:22 6480192 ----a-w- C:\HitmanPro35.exe 2011-12-27 23:46:09 163840 --sha-r- c:\windows\system32\bcryptu.dll 2011-12-27 20:59:51 -------- d-----w- c:\program files\DCoder Image Source 2011-12-27 20:59:46 -------- d-----w- c:\program files\FFMPEG Core Files 2011-12-27 20:59:38 -------- d-----w- c:\program files\CD Audio Reader Filter 2011-12-27 20:59:37 -------- d-----w- c:\program files\OpenSource AVI Splitter 2011-12-27 20:59:36 -------- d-----w- c:\program files\OpenSource DTSAC3DD+ Source Filter 2011-12-27 20:59:36 -------- d-----w- c:\program files\Gabest MPEG Splitter 2011-12-27 20:59:31 -------- d-----w- c:\program files\RealMedia 2011-12-27 20:59:18 -------- d-----w- c:\program files\DScaler5 2011-12-27 20:59:07 -------- d-----w- c:\program files\OpenSource Flash Video Splitter 2011-12-27 20:59:04 -------- d-----w- c:\program files\DirectVobSub 2011-12-27 20:59:01 -------- d-----w- c:\program files\LAV Filters 2011-12-27 20:58:50 -------- d-----w- c:\program files\Haali 2011-12-27 20:58:46 -------- d-----w- c:\program files\Bass Audio Decoder 2011-12-27 20:58:41 74752 ----a-w- c:\windows\system32\ff_vfw.dll 2011-12-27 20:58:39 -------- d-----w- c:\program files\ffdshow 2011-12-27 20:57:35 -------- d-----w- c:\programdata\Zoom Player 2011-12-27 20:57:35 -------- d-----w- c:\program files\Zoom Player 2011-12-27 20:40:17 -------- d-----w- c:\program files\GNU 2011-12-27 20:40:10 -------- d-----w- c:\program files\CoreAAC 2011-12-27 20:39:48 -------- d-----w- c:\programdata\GRETECH 2011-12-27 20:38:33 -------- d-----w- c:\program files\GRETECH 2011-12-27 19:26:36 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Softplicity 2011-12-27 19:13:16 -------- d-----w- c:\program files\Conduit 2011-12-27 19:13:00 -------- d-----w- c:\users\kev.holovis\appdata\local\Conduit 2011-12-27 11:07:52 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c35025a1-180d-452a-b65d-e0523b295105}\mpengine.dll 2011-12-26 22:50:19 -------- d-----w- C:\FACEBOOK 2011-12-16 08:31:50 88576 -c--a-w- c:\windows\system32\tlntsess.exe 2011-12-16 08:31:50 71168 -c--a-w- c:\windows\system32\telnet.exe 2011-12-16 08:31:41 3602816 -c--a-w- c:\windows\system32\ntkrnlpa.exe 2011-12-16 08:31:40 905088 -c--a-w- c:\windows\system32\drivers\tcpip.sys 2011-12-16 08:31:40 3550080 -c--a-w- c:\windows\system32\ntoskrnl.exe 2011-12-16 08:31:39 707584 -c--a-w- c:\program files\common files\system\wab32.dll 2011-12-16 08:31:39 429056 -c--a-w- c:\windows\system32\EncDec.dll 2011-12-16 08:31:13 2048 -c--a-w- c:\windows\system32\tzres.dll 2011-12-16 08:31:10 2043904 -c--a-w- c:\windows\system32\win32k.sys 2011-12-16 08:31:09 49152 -c--a-w- c:\windows\system32\csrsrv.dll 2011-12-15 14:12:18 -------- d-----w- c:\program files\common files\Juniper Networks 2011-12-15 13:59:06 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Juniper Networks 2011-12-14 08:36:26 -------- d-----w- c:\users\kev.holovis\appdata\roaming\Windows Small Business Server 2011-12-13 23:32:55 -------- d-----w- c:\users\kev.holovis\Roaming 2011-12-13 23:31:26 -------- d-----w- c:\program files\Cisco 2011-12-13 23:27:17 -------- d-----w- c:\program files\SystemRequirementsLab 2011-12-07 14:27:46 -------- d-----w- c:\users\kev.holovis\appdata\roaming\TeamViewer 2011-12-06 11:19:17 -------- d-----w- c:\users\kev.holovis\appdata\local\Broadcom 2011-12-03 16:02:31 -------- d-----w- c:\program files\Veetle . ==================== Find3M ==================== . 2011-12-03 14:49:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-15 14:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-11-03 06:22:04 916992 -c--a-w- c:\windows\system32\wininet.dll 2011-11-03 06:17:38 43520 -c--a-w- c:\windows\system32\licmgr10.dll 2011-11-03 06:17:23 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl 2011-11-03 06:17:08 71680 -c--a-w- c:\windows\system32\iesetup.dll 2011-11-03 06:17:08 109056 -c--a-w- c:\windows\system32\iesysprep.dll 2011-11-03 05:22:43 385024 -c--a-w- c:\windows\system32\html.iec 2011-11-03 04:45:39 133632 -c--a-w- c:\windows\system32\ieUnatt.exe 2011-11-03 04:43:59 1638912 -c--a-w- c:\windows\system32\mshtml.tlb . ============= FINISH: 12:43:05.49 =============== I have attached the zip file thanks Attach.zip
-
Hi a few days ago I foolishly ran an innocent-looking file called university challenge questions, after which my browser now redirects google or yahoo search results to thealltimes.com or get-answers-fast.com. I installed malwarebytes and hijackthis - here's the output : Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:05:38, on 02/01/2012 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.19170) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\DellTPad\Apoint.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\IDT\WDM\sttray.exe C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe C:\Program Files\Trend Micro\Browser Guard\BGUI.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O2 - BHO: GomPicker - {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files\GRETECH\GomPicker\GomPickerBHO.dll O2 - BHO: TMIEGBHO - {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files\Trend Micro\Browser Guard\TMAMS.dll O3 - Toolbar: TMBGBAR TOOLBAR - {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files\Trend Micro\Browser Guard\tmieg.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe O4 - HKLM\..\Run: [Trend Micro Browser Guard] "C:\Program Files\Trend Micro\Browser Guard\BGUI.EXE" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.2.0.cab O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = holovis.local O17 - HKLM\Software\..\Telephony: DomainName = holovis.local O17 - HKLM\System\CCS\Services\Tcpip\..\{FEA20FED-107C-4DAB-841B-787F0A736224}: NameServer = 192.168.0.148 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = holovis.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = holovis.local O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c3f58890\STacSV.exe O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- End of file - 9176 bytes Any help would be appreciated thank you,