tmerrifield Posted May 19, 2011 ID:431258 Share Posted May 19, 2011 Logfile of Trend Micro HijackThis v2.0.4Scan saved at 4:33:17 PM, on 5/19/2011Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.19048)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\windows\SMINST\scheduler.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Windows\system32\wuauclt.exeC:\Windows\Explorer.exeC:\Windows\System32\mobsync.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\SearchProtocolHost.exeC:\Users\tina merrifield.COMNET\Desktop\Virus\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:\\C:\Program Files\Internet Explorer\MyGoogle.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110519091802.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKUS\S-1-5-21-2923289019-1991700180-2435281453-1001\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Ctx_StreamingSvc')O4 - HKUS\S-1-5-21-2923289019-1991700180-2435281453-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Ctx_StreamingSvc')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO15 - Trusted Zone: http://*.ccex1O15 - Trusted Zone: http://*.mcafee.comO16 - DPF: toolboxOI - http://it.toolbox.com/home/toolboxOI.CABO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabO16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://qwestconferencing.qwest.com/confmgr/installs/ICWMInstall.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.6.cabO16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabO16 - DPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} (SCDeviceMonitor Class) - https://ccbes1/webconsole/RIMWebComponents.cabO16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cabO16 - DPF: {DC120706-9372-4B2E-AD15-F2135F51F30A} (Session Viewer) - https://192.168.100.240/plugins/vkvm/ActiveXVideoViewer.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://192.168.100.43/activex/AMC.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcafeesaas.webex.com/client/T27L10NSP11EP5/training/ieatgpc1.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comnet.comO17 - HKLM\Software\..\Telephony: DomainName = comnet.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comnet.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = comnet.comO18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: c:\PROGRA~1\Citrix\System32\mfaphook.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dllO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeO23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exeO23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeO23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exeO23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Sage Service Host (v1.0) (Sage.LS1.ServiceHost.1.0) - Sage Software, Inc. - C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe--End of file - 9278 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted May 20, 2011 Staff ID:431774 Share Posted May 20, 2011 Hi and welcome to Malwarebytes.I see the Ask Toolbar in your log.I strongly recommend you remove Ask Toolbar from your computer because:It promotes its toolbars on sites targeted at kids.It promotes its toolbars through ads that appear to be part of other companies' sites.It promotes its toolbars through other companies' spyware.It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.You can read more about Ask.com hereTo remove it:Click Start-->Control Panel-->Programs and FeaturesClick on the program name AskBarDis to highlight itFrom the menu at the top, select Uninstall or Remove.Please reboot the computer.Please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
tmerrifield Posted May 23, 2011 Author ID:432755 Share Posted May 23, 2011 Sorry for the delay. Here is the MBAM log and DDS log. MBAM:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6655Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.190485/23/2011 2:41:51 PMmbam-log-2011-05-23 (14-41-51).txtScan type: Full scan (C:\|)Objects scanned: 343384Time elapsed: 1 hour(s), 23 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS:.DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.19048Run by tina merrifield at 15:18:41 on 2011-05-23Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted May 26, 2011 Staff ID:433682 Share Posted May 26, 2011 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
tmerrifield Posted May 27, 2011 Author ID:433950 Share Posted May 27, 2011 ComboFix 11-05-26.04 - tina merrifield 05/27/2011 10:14:01.3.4 - x86Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted May 29, 2011 Staff ID:434402 Share Posted May 29, 2011 Hi,Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
tmerrifield Posted May 31, 2011 Author ID:435196 Share Posted May 31, 2011 I have attached the info you requested. Thanks for your help!!ESET ONLINE SCANNER:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6522# api_version=3.0.2# EOSSerial=8f4b7fff82f79244b4a03e4a919120e2# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2011-05-31 06:30:53# local_time=2011-05-31 01:30:53 (-0600, Central Daylight Time)# country="United States"# lang=9# osver=6.0.6002 NT Service Pack 2# compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=5892 16776574 100 95 6262504 143467834 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=226594# found=1# cleaned=1# scan_time=6474C:\Users\tina merrifield.COMNET\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANU7GLUR\cveucohwhnamy[1].pdf PDF/Exploit.Pidief.PDS.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CSECURITY CHECKUP LOG: Results of screen317's Security Check version 0.99.12 Windows Vista Service Pack 2 (UAC is disabled!) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 McAfee VirusScan Enterprise McAfee Virtual Technician McAfee Agent WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 2 Out of date Java installed! Adobe Flash Player ```````````````````````````````` Process Check: objlist.exe by Laurent McAfee VirusScan Enterprise VsTskMgr.exe McAfee VirusScan Enterprise mfeann.exe ``````````End of Log```````````` Link to post Share on other sites More sharing options...
tmerrifield Posted May 31, 2011 Author ID:435217 Share Posted May 31, 2011 I just rebooted and checked and the Google address for my home page is still C:\Program Files\Internet Explorer\MyGoogle.html. Link to post Share on other sites More sharing options...
Staff screen317 Posted June 4, 2011 Staff ID:436494 Share Posted June 4, 2011 Hi,Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):Java Link to post Share on other sites More sharing options...
tmerrifield Posted June 6, 2011 Author ID:437468 Share Posted June 6, 2011 I did all and once I deleted the MyGoogle.html file and rebooted here's the error msg I got when clicking on IE:Cannot find 'file:///C:/Program%20Files/Internet%20Explorer/MyGoogle.html'. Make sure the path or Internet address is correct.MyGoogle.zip Link to post Share on other sites More sharing options...
Staff screen317 Posted June 9, 2011 Staff ID:438839 Share Posted June 9, 2011 Change your homepage to www.google.com and see if it stays. Link to post Share on other sites More sharing options...
tmerrifield Posted June 9, 2011 Author ID:438906 Share Posted June 9, 2011 I tried that but doesn't stay. Link to post Share on other sites More sharing options...
Staff screen317 Posted June 12, 2011 Staff ID:439857 Share Posted June 12, 2011 Hi,Grab a fresh copy of ComboFix, run it, and post its log. We'll deal with this manually. Link to post Share on other sites More sharing options...
tmerrifield Posted June 13, 2011 Author ID:440419 Share Posted June 13, 2011 I have attached the log as well as copied contents here. I appreciate your help!!!ComboFix 11-06-12.04 - tina merrifield 06/13/2011 9:01.4.4 - x86Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted June 15, 2011 Staff ID:441469 Share Posted June 15, 2011 Hi,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the box below into Notepad:Registry::[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://www.google.com/"KILLALL::RenV::c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exec:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exec:\program files\Analog Devices\Core\smax4pnp .exec:\program files\HP\Digital Imaging\bin\hpqSRMon .exec:\program files\HP\HP Software Update\HPWuSchd2 .exec:\program files\HP\SetRefresh\SetRefresh .exec:\program files\iTunes\iTunesHelper .exec:\program files\PDF Complete\pdfsty .exec:\program files\QuickTime\QTTask .exeSave this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted June 30, 2011 Staff ID:447596 Share Posted June 30, 2011 Are you still with us? Link to post Share on other sites More sharing options...
tmerrifield Posted July 1, 2011 Author ID:448041 Share Posted July 1, 2011 Yes I am but have been ill and haven't gotten back on to try this but I will next week. THank you so much and I'm hopeful to try this next thing. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 5, 2011 Staff ID:449453 Share Posted July 5, 2011 Thanks for letting me know. Link to post Share on other sites More sharing options...
tmerrifield Posted July 13, 2011 Author ID:453410 Share Posted July 13, 2011 I have completed the steps above and IE is still corrupted. Here is the info (I've attached the files as well):COMBOFIX:ComboFix 11-07-12.09 - tina merrifield 07/13/2011 12:32:23.6.4 - x86Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3566.2225 [GMT -5:00]Running from: c:\users\tina merrifield.COMNET\Desktop\Virus\July13\ComboFix.exeCommand switches used :: c:\users\tina merrifield.COMNET\Desktop\Virus\July13\CFScript.txtAV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2011-06-13 to 2011-07-13 )))))))))))))))))))))))))))))))..2011-07-13 17:37 . 2011-07-13 17:37 -------- d-----w- c:\users\tina merrifield\AppData\Local\temp2011-07-13 17:37 . 2011-07-13 17:37 -------- d-----w- c:\users\Public\AppData\Local\temp2011-07-13 17:37 . 2011-07-13 17:37 -------- d-----w- c:\users\Default\AppData\Local\temp2011-07-13 17:37 . 2011-07-13 17:37 -------- d-----w- c:\users\Ctx_StreamingSvc\AppData\Local\temp2011-07-13 00:53 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys2011-07-13 00:53 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll2011-07-13 00:53 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll2011-06-29 00:14 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-06-06 19:03 . 2011-06-06 19:03 472808 ----a-w- c:\windows\system32\deployJava1.dll2011-06-06 18:38 . 2011-06-06 18:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-05-19 14:16 . 2011-05-19 14:17 162928 ----a-w- c:\windows\system32\drivers\mfewfpk.sys2011-05-19 14:16 . 2011-05-19 14:18 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll2011-05-19 14:16 . 2011-05-19 14:18 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys2011-05-19 14:16 . 2011-05-19 14:17 145936 ----a-w- c:\windows\system32\mfevtps.exe2011-05-19 14:16 . 2011-05-19 14:18 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys2011-05-19 14:16 . 2011-05-19 14:17 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys2011-05-19 14:16 . 2010-03-26 00:07 22816 ----a-w- c:\windows\system32\MFEOtlk.dll2011-05-19 14:16 . 2011-05-19 14:18 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys2011-05-19 14:16 . 2011-05-19 14:18 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2011-05-19 14:16 . 2011-05-19 14:18 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2011-05-03 13:02 . 2011-05-03 13:02 53248 ----a-r- c:\users\tina merrifield.COMNET\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-31 273544]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2008-02-22 44168].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\progra~1\Citrix\System32\mfaphook.dll.[HKLM\~\startupfolder\C:^Users^tina merrifield.COMNET^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]path=c:\users\tina merrifield.COMNET\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnkbackup=c:\windows\pss\Logitech . Product Registration.lnk.StartupbackupExtension=.Startup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]2009-02-27 16:14 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]2009-02-27 20:54 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]2009-08-24 19:27 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]2008-01-21 02:23 125952 ----a-w- c:\windows\ehome\ehtray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]2008-01-02 22:06 166424 ----a-w- c:\windows\System32\hkcmd.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]2008-01-02 22:07 141848 ----a-w- c:\windows\System32\igfxtray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]2009-11-05 20:35 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]2009-11-05 20:45 1505144 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]2011-03-02 04:14 190808 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]2008-01-02 22:07 133656 ----a-w- c:\windows\System32\igfxpers.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]2011-05-27 02:50 15147400 ----a-r- c:\program files\Skype\Phone\Skype.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]2007-07-10 04:40 1282048 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]2011-03-31 14:35 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe.R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-05-19 85152]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]S1 cdfdrv;cdfdrv;c:\windows\system32\DRIVERS\cdfdrv.sys [2007-05-24 22968]S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-05-19 162928]S2 ctxpidmn;ctxpidmn;c:\windows\system32\DRIVERS\ctxpidmn.sys [2007-07-05 20424]S2 CtxSbx;CtxSbx;c:\windows\system32\DRIVERS\CtxSbx.sys [2007-07-05 161352]S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-05-19 145936]S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-04-07 576024]S2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [2007-07-05 237568]S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]..--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHPService REG_MULTI_SZ HPSLPSVC.Contents of the 'Scheduled Tasks' folder.2011-07-13 c:\windows\Tasks\User_Feed_Synchronization-{4D9B0C0D-847B-45EA-A652-1F6C303D323E}.job- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktopuInternet Settings,ProxyOverride = *.localTrusted Zone: ccex1Trusted Zone: comnetcomm.com\wwwTrusted Zone: internetTrusted Zone: mcafee.comTrusted Zone: sagenorthamerica.com\customersTCP: DhcpNameServer = 192.168.101.11 192.168.100.10DPF: toolboxOI - hxxp://it.toolbox.com/home/toolboxOI.CABDPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://qwestconferencing.qwest.com/confmgr/installs/ICWMInstall.cabDPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} - hxxps://ccbes1/webconsole/RIMWebComponents.cabDPF: {DC120706-9372-4B2E-AD15-F2135F51F30A} - hxxps://192.168.100.240/plugins/vkvm/ActiveXVideoViewer.cabDPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.100.43/activex/AMC.cab.- - - - ORPHANS REMOVED - - - -.MSConfigStartUp-RTHDBPL - C:\autoexec.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-07-13 12:55Windows 6.0.6002 Service Pack 2 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.------------------------ Other Running Processes ------------------------.c:\windows\system32\AEADISRV.EXEc:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Citrix\System32\CdfSvc.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\McAfee\Common Framework\FrameworkService.exec:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exec:\program files\McAfee\VirusScan Enterprise\mfeann.exec:\program files\McAfee\Common Framework\naPrdMgr.exec:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exec:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\system32\WUDFHost.exec:\windows\SMINST\scheduler.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2011-07-13 12:59:10 - machine was rebootedComboFix-quarantined-files.txt 2011-07-13 17:58ComboFix2.txt 2011-06-13 14:10ComboFix3.txt 2011-05-27 15:26.Pre-Run: 130,376,732,672 bytes freePost-Run: 130,328,723,456 bytes free.- - End Of File - - 6256948D52D8F7FD6A06F7C8A6C3691FDDS:.DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.19088Run by tina merrifield at 13:39:39 on 2011-07-13.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\AEADISRV.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Citrix\System32\CdfSvc.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\Windows\system32\mfevtps.exeC:\Program Files\McAfee\VirusScan Enterprise\mfeann.exeC:\Program Files\PDF Complete\pdfsvc.exeC:\Program Files\McAfee\Common Framework\naPrdMgr.exeC:\Program Files\Citrix\Streaming Client\RadeSvc.exeC:\Program Files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\WUDFHost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\windows\SMINST\scheduler.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\Real\RealPlayer\Update\realsched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Logitech\LWS\Webcam Software\LWS.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\system32\taskeng.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exeC:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchProtocolHost.exeC:\Users\tina merrifield.COMNET\Desktop\Virus\July13\dds.scrC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k HPService.============== Pseudo HJT Report ===============.uStart Page = file:\\c:\program files\internet explorer\MyGoogle.htmlmStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktopuInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110519091802.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllEB: GoogleBar: {31dafb0b-1090-4e86-91db-11a77fba5361} - c:\users\tina merrifield.comnet\appdata\roaming\google.com\googlebar\adxloader.dlluRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunmRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKeymRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osbootmRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hidemRunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exemPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTrusted Zone: ccex1Trusted Zone: comnetcomm.com\wwwTrusted Zone: internetTrusted Zone: mcafee.comTrusted Zone: sagenorthamerica.com\customersDPF: toolboxOI - hxxp://it.toolbox.com/home/toolboxOI.CABDPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabDPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://qwestconferencing.qwest.com/confmgr/installs/ICWMInstall.cabDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.6.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} - hxxps://ccbes1/webconsole/RIMWebComponents.cabDPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cabDPF: {DC120706-9372-4B2E-AD15-F2135F51F30A} - hxxps://192.168.100.240/plugins/vkvm/ActiveXVideoViewer.cabDPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.100.43/activex/AMC.cabDPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mcafeesaas.webex.com/client/T27L10NSP11EP5/training/ieatgpc1.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100TCP: DhcpNameServer = 192.168.101.11 192.168.100.10TCP: Interfaces\{098DCEE8-ABDB-4C92-A1CD-A0F04075962F} : DhcpNameServer = 192.168.101.11 192.168.100.10TCP: Interfaces\{85ECF4A2-BE79-4806-8781-9DCEAC6BC087} : DhcpNameServer = 192.168.100.10Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dllHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: igfxcui - igfxdev.dllAppInit_DLLs: c:\progra~1\citrix\system32\mfaphook.dll.============= SERVICES / DRIVERS ===============.R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86R? mferkdet;McAfee Inc. mferkdetR? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0R? WSDPrintDevice;WSD Print Support via UMBS? cdfdrv;cdfdrvS? ctxpidmn;ctxpidmnS? CtxSbx;CtxSbxS? McAfeeFramework;McAfee Framework ServiceS? McShield;McAfee McShieldS? McTaskManager;McAfee Task ManagerS? mfeavfk;McAfee Inc. mfeavfkS? mfebopk;McAfee Inc. mfebopkS? mfehidk;McAfee Inc. mfehidkS? mfevtp;McAfee Validation Trust Protection ServiceS? mfewfpk;McAfee Inc. mfewfpkS? NPF;NetGroup Packet Filter DriverS? pdfcDispatcher;PDF Document ManagerS? RadeSvc;Citrix Streaming ServiceS? Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0)S? UMVPFSrv;UMVPFSrv.=============== Created Last 30 ================.2011-07-13 17:55:14 -------- d-----w- C:\$RECYCLE.BIN2011-07-13 00:53:28 2043392 ----a-w- c:\windows\system32\win32k.sys2011-07-13 00:53:15 49152 ----a-w- c:\windows\system32\csrsrv.dll2011-07-13 00:53:15 375808 ----a-w- c:\windows\system32\winsrv.dll2011-06-29 00:14:20 276992 ----a-w- c:\windows\system32\schannel.dll.==================== Find3M ====================.2011-06-27 22:07:36 256 ----a-w- c:\windows\system32\pool.bin2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe2011-06-06 19:03:06 472808 ----a-w- c:\windows\system32\deployJava1.dll2011-06-06 18:38:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb2011-05-19 14:16:25 162928 ----a-w- c:\windows\system32\drivers\mfewfpk.sys2011-05-19 14:16:24 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys2011-05-19 14:16:24 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll2011-05-19 14:16:24 145936 ----a-w- c:\windows\system32\mfevtps.exe2011-05-19 14:16:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys2011-05-19 14:16:23 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys2011-05-19 14:16:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll2011-05-19 14:16:22 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys2011-05-19 14:16:22 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2011-05-19 14:16:22 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 13:25:10 146432 ----a-w- c:\windows\system32\drivers\srv2.sys2011-04-29 13:25:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys2011-04-29 13:24:50 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys2011-04-29 13:24:42 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys2011-04-29 13:24:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-21 13:58:27 273408 ----a-w- c:\windows\system32\drivers\afd.sys.============= FINISH: 13:40:05.16 ===============combofix.txtDDS.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted July 17, 2011 Staff ID:454836 Share Posted July 17, 2011 Hi,Use Windows Update to upgrade to Internet Explorer 9. Reboot and see if that fixes the issue. Link to post Share on other sites More sharing options...
tmerrifield Posted August 3, 2011 Author ID:461318 Share Posted August 3, 2011 Unfortunately it's still doing the exact same thing. I set the homepage to www.google.com and it's redirecting to C:\Program Files\Internet Explorer\MyGoogle.html Any additional thoughts greatly appreciated!! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 5, 2011 Staff ID:462276 Share Posted August 5, 2011 Let's see if we can find the source.Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfindMyGoogle:filefindMyGoogle.htmlClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
tmerrifield Posted August 5, 2011 Author ID:462321 Share Posted August 5, 2011 Let's see if we can find the source.Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfindMyGoogle:filefindMyGoogle.htmlClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted August 5, 2011 Staff ID:462326 Share Posted August 5, 2011 Hi,Please use the Add Reply button to reply instead of the "Reply button. Link to post Share on other sites More sharing options...
tmerrifield Posted August 10, 2011 Author ID:464354 Share Posted August 10, 2011 I did that and it is still redirecting to C:\Program Files\Internet Explorer\MyGoogle.html Link to post Share on other sites More sharing options...
Recommended Posts