Jump to content

Another Google Re-Direct Infection


t42
 Share

Recommended Posts

Hi-

Thank you very much for offering to help troubleshoot this Google re-direct virus. It has slowly been killing my laptop for the last several weeks and no doubt I made it worse by trying to troubleshoot myself.

Symptoms:

Redirects google searches to google.nl

Redirects google searches to bogus search engines

Blocking me from accessing Google.com

I followed the instructions in the "I'm infected...." thread and have copied and attached all suggested files.

Thanks,

Gordon

DDS (Ver_10-03-17.01) - NTFSx86

Run by Gordon at 20:23:43.01 on Sun 07/18/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2388 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System\CmFlywav.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\System\CMAS2DS.EXE

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Linksys\WMB54G\WMB54G.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Documents and Settings\Gordon\Desktop\Defogger.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Gordon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [CmFlywaveName] c:\windows\system\CmFlywav.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\gordon\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267316265562

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267322833187

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-18 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-18 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-18 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-18 60936]

R3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys [2010-5-23 1410240]

=============== Created Last 30 ================

2010-07-18 18:26:02 0 ----a-w- c:\documents and settings\gordon\defogger_reenable

2010-07-18 13:03:39 0 d-----w- c:\windows\system32\NtmsData

2010-07-18 13:03:12 0 d-----w- c:\docume~1\gordon\applic~1\Avira

2010-07-18 12:59:53 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-07-18 12:59:53 0 d-----w- c:\program files\Avira

2010-07-18 12:59:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-07-18 10:48:34 0 dc-h--w- c:\windows\ie8

2010-07-18 10:35:55 0 d-sh--w- c:\documents and settings\gordon\IECompatCache

2010-07-15 00:16:01 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-04 17:44:42 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-04 17:44:24 0 d-----w- c:\program files\ThinkVantage

2010-07-04 17:44:24 0 d-----w- C:\Icons

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2004-03-17 22:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe

============= FINISH: 20:23:53.79 ===============

ark.zip

Attach.zip

mbam_log_2010_07_19__21_56_29_.txt

mbam_log_2010_06_29__20_38_43__one_infection.txt

mbam_log_2010_06_29__21_20_26__seven_in_registry.txt

mbam_log_2010_07_04__22_31_49__2_registry_keys.txt

mbam_log_2010_07_04__22_36_49__6_files.txt

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

In the future please post all logs directly into your reply instead of attaching them.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi screen317-

Thanks for helping, here are the logs.

ComboFix 10-07-20.01 - Gordon 07/20/2010 20:31:59.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2436 [GMT -4:00]

Running from: c:\documents and settings\Gordon\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Gordon\Recent\energy.tmp

c:\documents and settings\Gordon\Recent\tjd.tmp

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))

.

2010-07-18 13:03 . 2010-07-18 13:03 -------- d-----w- c:\windows\system32\NtmsData

2010-07-18 13:03 . 2010-07-18 13:03 -------- d-----w- c:\documents and settings\Gordon\Application Data\Avira

2010-07-18 12:59 . 2010-07-18 12:59 -------- d-----w- c:\program files\Avira

2010-07-18 12:59 . 2010-07-18 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-07-18 12:59 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-07-18 12:59 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-07-18 12:59 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-07-18 12:59 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-07-18 10:48 . 2010-07-18 10:49 -------- dc-h--w- c:\windows\ie8

2010-07-18 10:35 . 2010-07-18 10:35 -------- d-sh--w- c:\documents and settings\Gordon\IECompatCache

2010-07-15 00:16 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-04 17:44 . 2010-07-04 17:44 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-04 17:44 . 2010-07-04 17:44 -------- d-----w- c:\program files\ThinkVantage

2010-07-04 17:44 . 2010-07-04 17:44 -------- d-----w- C:\Icons

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-04 18:11 . 2010-03-05 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-14 14:31 . 2006-04-30 07:10 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-13 14:41 . 2010-02-28 01:26 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 16:34 . 2010-06-04 16:34 61440 ----a-w- c:\documents and settings\Gordon\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-701cc15b-n\decora-sse.dll

2010-06-04 16:34 . 2010-06-04 16:34 503808 ----a-w- c:\documents and settings\Gordon\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-397b3926-n\msvcp71.dll

2010-06-04 16:34 . 2010-06-04 16:34 499712 ----a-w- c:\documents and settings\Gordon\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-397b3926-n\jmc.dll

2010-06-04 16:34 . 2010-06-04 16:34 348160 ----a-w- c:\documents and settings\Gordon\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-397b3926-n\msvcr71.dll

2010-06-04 16:34 . 2010-06-04 16:34 12800 ----a-w- c:\documents and settings\Gordon\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-701cc15b-n\decora-d3d.dll

2010-05-24 00:28 . 2010-05-23 23:23 -------- d-----w- c:\documents and settings\Gordon\Application Data\ICAClient

2010-05-23 23:23 . 2010-05-23 23:23 -------- d-----w- c:\program files\Citrix

2010-05-23 22:22 . 2010-03-28 14:06 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-23 22:22 . 2010-05-23 22:22 -------- d-----w- c:\program files\Linksys

2010-05-06 10:41 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2006-04-30 06:55 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2010-03-05 01:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-03-05 01:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2004-03-17 22:13 . 2004-03-17 22:13 1028368 ----a-w- c:\program files\vbrun60sp6.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-09 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-09 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-09 135680]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"CmFlywaveName"="c:\windows\System\CmFlywav.exe" [2007-10-05 283466]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\Gordon\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-8-14 607584]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\blp\\Wintrv\\WINTRV.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/18/2010 8:59 AM 135336]

R3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys [5/23/2010 6:22 PM 1410240]

.

Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-02-26 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-04-30 00:12]

2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{603806EF-BB4C-4A80-97FF-112384BF11E3}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-20 20:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-07-20 20:35:47

ComboFix-quarantined-files.txt 2010-07-21 00:35

Pre-Run: 58,740,158,464 bytes free

Post-Run: 58,977,701,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E66C43A004EAF162E72199C2213F9F0

DDS (Ver_10-03-17.01) - NTFSx86

Run by Gordon at 20:46:50.10 on Tue 07/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2475 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System\CmFlywav.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\WINDOWS\System\CMAS2DS.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Gordon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [CmFlywaveName] c:\windows\system\CmFlywav.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\gordon\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267316265562

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267322833187

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-18 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-18 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-18 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-18 60936]

R3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys [2010-5-23 1410240]

=============== Created Last 30 ================

2010-07-21 00:29:50 0 d-sha-r- C:\cmdcons

2010-07-21 00:24:06 98816 ----a-w- c:\windows\sed.exe

2010-07-21 00:24:06 77312 ----a-w- c:\windows\MBR.exe

2010-07-21 00:24:06 256512 ----a-w- c:\windows\PEV.exe

2010-07-21 00:24:06 161792 ----a-w- c:\windows\SWREG.exe

2010-07-18 18:26:02 0 ----a-w- c:\documents and settings\gordon\defogger_reenable

2010-07-18 13:03:39 0 d-----w- c:\windows\system32\NtmsData

2010-07-18 13:03:12 0 d-----w- c:\docume~1\gordon\applic~1\Avira

2010-07-18 12:59:53 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-07-18 12:59:53 0 d-----w- c:\program files\Avira

2010-07-18 12:59:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-07-18 10:48:34 0 dc-h--w- c:\windows\ie8

2010-07-18 10:35:55 0 d-sh--w- c:\documents and settings\gordon\IECompatCache

2010-07-15 00:16:01 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-04 17:44:42 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-04 17:44:24 0 d-----w- c:\program files\ThinkVantage

2010-07-04 17:44:24 0 d-----w- C:\Icons

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2004-03-17 22:13:46 1028368 ----a-w- c:\program files\vbrun60sp6.exe

============= FINISH: 20:46:55.12 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi Chris-

Thanks again for helping me troubleshoot this......here are the results of the F-Secure scan and the Security Check. I'll let you know in 24 hrs how computer is behaving.

Regards,

Gordon

Scanning Report

Wednesday, July 21, 2010 21:23:33 - 21:48:55

Computer name: LENOVO-X61

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

15 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Zanox (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 36327

System: 2919

Not scanned: 11

Actions:

Disinfected: 15

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\HIBERFIL.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\DOCUMENTS AND SETTINGS\GORDON\LOCAL SETTINGS\TEMP\HSPERFDATA_GORDON\1516

C:\DOCUMENTS AND SETTINGS\GORDON\LOCAL SETTINGS\TEMP\HSPERFDATA_GORDON\4080

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

  • Staff

Hi Gordon,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.