Jump to content

Recommended Posts

Can anyone help me get rid of what ever it is I have on my laptop? I do a Google or other browser search and I am redirected to some random site. I have to right click and go to properties and copy and paste the address to go where I want to go. Malware does not find it. Please help.

Link to post
Share on other sites

Thanks for your help on this. Following is the DDS.txt info. you requested. The Attach.txt file is also attached, as is the Gmer.txt file.

DDS (Ver_10-03-17.01) - NTFSx86

Run by VXKintz at 17:22:44.64 on Tue 07/13/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1936.1233 [GMT -7:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {5C918A70-A1D5-4C87-8893-230C61B0AC7D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\9\r205445\stacsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon .exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\WINDOWS\TEMP\TZ625A.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\vxkintz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\program files\microsoft application virtualization client\sftdcc.exe",

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [P3000x_S2P] c:\program files\dell\dell laser mfp 1600n\psu\ScanToPc.exe

dRun: [qqrlbrcr] c:\documents and settings\vxkintz\local settings\application data\jpjneywty\jpkvvtntssd.exe

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

StartupFolder: c:\docume~1\vxkintz\startm~1\programs\startup\office~1.lnk - c:\program files\trend micro\officescan client\pccntmon .exe

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = .exe

uPolicies-disallowrun: 2 = 1.exe

uPolicies-disallowrun: 3 = 1[1].exe

uPolicies-disallowrun: 4 = 10.exe

uPolicies-disallowrun: 5 = 2.exe

uPolicies-disallowrun: 6 = 2[1].exe

uPolicies-disallowrun: 7 = 3.exe

uPolicies-disallowrun: 8 = 5.exe

uPolicies-disallowrun: 9 = 6.exe

uPolicies-disallowrun: 10 = 7.exe

uPolicies-disallowrun: 11 = 8.exe

uPolicies-disallowrun: 12 = 9.exe

uPolicies-disallowrun: 13 = internat.exe

uPolicies-disallowrun: 14 = internetex.exe

uPolicies-disallowrun: 15 = mpwe.exe

uPolicies-disallowrun: 16 = msiexeca.exe

uPolicies-disallowrun: 17 = psexec.exe

uPolicies-disallowrun: 18 = winfront.exe

uPolicies-disallowrun: 19 = zfzrcvvc.sys

mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

dPolicies-explorer: NoViewOnDrive = 65536 (0x10000)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271452699796

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271452640703

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxp://tsippromos.rehabcare.com/_controls/ikcntrls.cab

TCP: {B7090C9A-C613-45A1-9F07-B378D7130925} = 10.1.1.14

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {C7162CFF-B9B3-4232-8975-D2903C68B20B} - c:\windows\system32\msiexec.exe /fou {C7162CFF-B9B3-4232-8975-D2903C68B20B} /q

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-17 64288]

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-12-7 17840]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2008-10-10 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2008-10-10 36368]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-1-28 112128]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2010-1-28 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-1-28 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-28 110080]

R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplayxp.sys [2009-10-2 187224]

R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVolXP.sys [2009-10-2 14680]

R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-10-2 188760]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]

S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-10-2 426840]

S2 svchost32;Windows Service Manager;c:\windows\system32\oobe\svchost.exe /service --> c:\windows\system32\oobe\svchost.exe [?]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]

S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]

S3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSXP.sys [2009-10-2 525656]

S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-10-2 21848]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-10 652552]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-12-7 22704]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-12-7 29488]

S4 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-07-11 08:08:10 0 d-----w- c:\program files\VideoLAN

2010-07-08 17:35:46 0 d-----w- c:\docume~1\alluse~1\applic~1\GroupPolicy

2010-07-07 00:04:54 0 d-----w- c:\docume~1\vxkintz\applic~1\Dell

2010-06-29 22:13:28 10752 ------w- c:\windows\DCEBoot.exe

2010-06-29 08:19:12 0 d-----w- c:\program files\VLC Player

2010-06-27 19:57:57 487424 ----a-w- c:\windows\system32\msvcp70.dll

2010-06-27 19:57:57 344064 ----a-w- c:\windows\system32\msvcr70.dll

2010-06-27 19:57:56 974848 ----a-w- c:\windows\system32\mfc70.dll

2010-06-27 19:57:56 0 d-----w- c:\program files\AML Products

2010-06-22 16:51:23 112 ----a-w- c:\docume~1\alluse~1\applic~1\WXbn87.dat

2010-06-22 01:45:58 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-19 16:31:15 0 d-----w- C:\temp

2010-06-19 15:53:32 0 d-----w- c:\windows\system32\wbem\Logs

2010-06-19 13:41:40 0 d-----w- c:\program files\MSXML 4.0

2010-06-19 13:41:36 90112 -c----w- c:\windows\system32\dllcache\wshext.dll

2010-06-19 13:41:36 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll

2010-06-19 13:41:36 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll

2010-06-19 13:41:35 155648 -c----w- c:\windows\system32\dllcache\wscript.exe

2010-06-19 13:41:35 135168 -c----w- c:\windows\system32\dllcache\cscript.exe

2010-06-18 01:43:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-18 00:46:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-18 00:46:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 23:46:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-17 23:45:55 0 d-----w- c:\program files\Lavasoft

2010-06-17 18:00:49 0 d-----w- c:\docume~1\vxkintz\applic~1\Malwarebytes

2010-06-17 18:00:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-17 18:00:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-17 18:00:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-17 18:00:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-15 14:26:06 0 d-----w- c:\program files\Microsoft MapPoint

==================== Find3M ====================

2010-06-22 18:52:41 116088 ----a-w- c:\windows\fonts\AdobeFnt07.lst

2010-05-27 22:23:15 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-27 22:23:15 348160 ----a-w- c:\windows\system32\msvcr71.dll

============= FINISH: 17:23:49.54 ===============

Attach.txt

gmer.txt

Link to post
Share on other sites

vkintz,

report.gif You are infected with a trojan known to sometimes have backdoor properties. Backdoor Trojans are very dangerous because they use advanced techniques (backdoors) to steal sensitive information which they send back to the hacker. All passwords should be changed immediately using a different computer and, if necessary, banking and credit card institutions should be notified of the possible security breach.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Hello, my laptop is a company laptop and it runs Trend Micro Officescan Antivirus and I can't seem to turn it off. Combofix keeps asking me to turn it off or proceed at my own risk. I have gone in to task manager and turned everything off I think is it... but nothing worked. Can you share with me how to turn it off?

Thank you so very much.

v

Link to post
Share on other sites

I ran Combofix as you recommended after successfully stopping Trend Micro's Antivirus. After the Microsoft Recovery Console was successfully installed it rebooted, and after logging in there was a blue screen stating a problem occurred, it rebooted on its own (happened very fast), logged in again and Combofix ran... it appears successfully. It rebooted again and I have successfully logged on but there is not Combofix.log to send you. You stated it would be in my root directory of C:/, but nothing is there, nor on my desktop.

Any ideas from here? Did it work?

Thank you for your help.

Link to post
Share on other sites

I'm sorry, but if this is a business PC you would be better served by your IT staff or Malwarebytes Corporate Support. There are a number of reasons I recommend this:

  • If you are running Malwarebytes on a business system, it must be a licensed version which makes you eligible for priority support at corporate-support@malwarebytes.org
  • If your business has IT support, it would be wiser to utilize them as they are more familiar with your IT environment
  • Many companies have policies against employees doing this type of work on their PCs
  • Your business may have policies or software versions in place that are business critical and should not be altered or removed. Obviously, I would have no way to know what they are. The tools we use for home/personal systems will occasionally alter such system settings. These same policies or software could also prevent our tools from running, as may be your case.
  • Posting your logs in an open forum like this could possibly expose proprietary business information.

Your logs show signs of a vundo file infector and you also have symptoms often associated with the TDL3 rootkit. Please advise your IT staff of this or contact Malwarebytes Corporate Support at the above e-mail address for further assistance.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.