Jump to content

Random redirect on clicks


Recommended Posts

Ran Malwarebytes', Spybot S&D, Ad-Aware, MS Malicious Software Removal Tool, and Symantec's SEP Anti-Virus. Everything comes out clean now, but IE randomly redirects when I click on links. I even tried uninstalling IE8 and reinstalling.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by maustin at 15:45:56 on 2011-07-07

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2634 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r213367\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

svchost.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

c:\Program Files\Dell\Latitude ON Reader\CLMonitorService.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\Latitude ON Reader\BIOSEvent.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Boingo\Boingo Wi-Finder\Boingo Wi-Finder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\WebEx\Productivity Tools\PTIM.exe

C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe

C:\Documents and Settings\maustin\Local Settings\Application Data\ATT Connect\Participant\pull.exe

C:\Program Files\WebEx\Productivity Tools\ptSrv.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.bing.com

uStart Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyServer = http=172.16.100.2:8080;https=172.16.100.2:8080;ftp=172.16.100.2:8080;gopher=172.16.100.2:8080;socks=172.16.100.2:8080

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.bing.com/sphome.aspx

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [PTIM.exe] c:\program files\webex\productivity tools\PTIM.exe

uRun: [PTOneClick] c:\program files\webex\productivity tools\ptoneclk.exe /AutoRunning="2"

uRun: [Push Client] c:\documents and settings\maustin\local settings\application data\att connect\participant\pull.exe

uRun: [jRhcNYUJBNjYqGW] c:\documents and settings\all users\application data\jRhcNYUJBNjYqGW.exe

uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [CLIVFR] "c:\program files\dell\latitude on reader\CLIVFR.exe"

mRun: [bIOSEvent] "c:\program files\dell\latitude on reader\BIOSEvent.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [boingo Wi-Finder] "c:\program files\boingo\boingo wi-finder\Boingo.lnk"

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

IE: &Search - http://tbedits.myfuncards.com/one-toolbaredits/menusearch.jhtml?s=100000511&p=ZUxdm826YYus&si=santa3564F&a=B0B38071-38F7-42ED-840C-41A428E34F4E&n=2010122617

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

LSP: bmnet.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271691738484

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271691801921

DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://216.185.180.216/NELX.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://amsafecp.webex.com/client/T27LB/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://172.15.100.113:85/MP4DVR.cab

TCP: DhcpNameServer = 172.15.100.12 172.16.100.2 172.16.100.4

TCP: Interfaces\{4D66068F-54AC-4B57-B7F0-C4B28E38016D} : DhcpNameServer = 172.15.100.12 172.16.100.2 172.16.100.4

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-7-7 64512]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2010-4-19 86552]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]

R2 CLMonitor;CLMonitor;c:\program files\dell\latitude on reader\CLMonitorService.exe [2009-5-22 120104]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-12-17 812448]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-12-17 27040]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-1-31 1839776]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-4-4 112512]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-4-4 33832]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-4-4 240344]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-4-4 110080]

R3 mircap;mircap;c:\windows\system32\drivers\mircap.sys [2006-10-6 4608]

R3 mtpaudio;Panasonic Projector Audio Device Driver;c:\windows\system32\drivers\mtpaudio.sys [2006-10-6 12800]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110707.003\NAVENG.SYS [2011-7-7 86008]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110707.003\NAVEX15.SYS [2011-7-7 1542392]

R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [2009-10-21 22600]

R3 seccap;seccap;c:\windows\system32\drivers\seccap.sys [2006-10-6 5632]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2010-4-4 232744]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-1-31 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-20 15232]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

S3 PJDrv;PJDrv;c:\program files\panasonic\wireless manager me4.5\PJdrv.sys [2006-10-6 8607]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2010-4-19 24876]

S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2009-3-31 190080]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 190080]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2009-5-4 148096]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148096]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

.

=============== Created Last 30 ================

.

2011-07-07 19:01:15 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-07-07 17:08:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-07 16:57:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-07-07 16:57:02 -------- d-----w- c:\program files\Lavasoft

2011-07-07 16:35:22 -------- d-----w- c:\windows\SxsCaPendDel

2011-07-07 16:21:50 -------- dc-h--w- c:\windows\ie8

2011-07-07 14:42:36 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-07 14:42:36 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-07-06 20:53:59 -------- d-----w- c:\documents and settings\maustin\TIREMOTE

2011-07-06 15:46:59 -------- d-----w- c:\documents and settings\maustin\application data\Malwarebytes

2011-07-06 15:46:45 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 15:46:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 15:46:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 15:46:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-01 11:51:15 -------- d-----w- c:\program files\Boingo

2011-07-01 11:51:15 -------- d-----w- c:\documents and settings\all users\application data\GoBoingo

2011-06-17 13:24:57 551936 -c----w- c:\windows\system32\dllcache\oleaut32.dll

2011-06-17 13:24:54 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-14 07:26:10 -------- d-----w- c:\windows\ServicePackFiles

2011-06-14 02:47:01 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2011-06-14 02:47:01 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2011-06-14 02:40:25 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-06-14 02:40:10 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2011-06-14 02:40:00 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-06-14 02:35:18 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.

==================== Find3M ====================

.

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

============= FINISH: 15:52:28.61 ===============

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/7/2011 10:31:54 AM

mbam-log-2011-07-07 (10-31-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 311624

Time elapsed: 51 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

attach.zip

hijackthis.zip

Link to post
Share on other sites

Hi chilepepper and Welcome to Malwarebytes!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

So I had a few problems. The first time I ran ComboFix, it hung on the second 'Output' line while unpacking. I killed the process and ran it again, that time I got an error:

Error opening file for writing:

C:\32788R22FWJFW\iexplore.exe

I looked in the task manager and saw multiple iexplore.exe running. I killed them all and ran ComboFix again. That time it worked. When it was done, I re-enabled Symantec Endpoint Protection. It found Bloodhound.MalPE, and has quarantined it and is now pending a reboot.

Here's the ComboFix log.

ComboFix 11-07-08.03 - maustin 07/08/2011 18:32:33.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2760 [GMT -4:00]

Running from: c:\documents and settings\maustin\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\vb.ini

.

---- Previous Run -------

.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-06-08 to 2011-07-08 )))))))))))))))))))))))))))))))

.

.

2011-07-08 01:50 . 2011-07-08 12:58 -------- d-----w- c:\windows\dwrcs

2011-07-07 19:01 . 2011-07-07 17:08 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-07-07 17:08 . 2011-07-07 17:08 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-07 16:57 . 2011-07-07 16:57 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software

2011-07-07 16:57 . 2011-06-20 14:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-07-07 16:57 . 2011-07-07 16:57 -------- d-----w- c:\program files\Lavasoft

2011-07-07 16:55 . 2011-07-07 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2011-07-07 16:35 . 2011-07-07 16:42 -------- d-----w- c:\windows\SxsCaPendDel

2011-07-07 16:21 . 2011-07-07 16:22 -------- dc-h--w- c:\windows\ie8

2011-07-07 14:42 . 2011-07-07 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-07-07 14:42 . 2011-07-07 15:15 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-06 20:53 . 2011-07-06 20:53 -------- d-----w- c:\documents and settings\maustin\TIREMOTE

2011-07-06 16:09 . 2011-07-06 16:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-07-06 15:59 . 2011-07-06 15:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-07-06 15:59 . 2011-07-06 15:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink

2011-07-06 15:58 . 2011-07-06 15:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2011-07-06 15:58 . 2011-07-06 15:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

2011-07-06 15:55 . 2011-07-06 15:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2011-07-06 15:46 . 2011-07-06 15:46 -------- d-----w- c:\documents and settings\maustin\Application Data\Malwarebytes

2011-07-06 15:46 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 15:46 . 2011-07-06 18:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 15:46 . 2011-07-06 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-06 15:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-01 11:51 . 2011-07-01 11:51 -------- d-----w- c:\program files\Boingo

2011-07-01 11:51 . 2011-07-01 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\GoBoingo

2011-06-17 13:24 . 2010-12-20 17:32 551936 -c----w- c:\windows\system32\dllcache\oleaut32.dll

2011-06-17 13:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-14 07:26 . 2011-06-14 07:26 -------- d-----w- c:\windows\ServicePackFiles

2011-06-14 02:47 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2011-06-14 02:47 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2011-06-14 02:40 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-06-14 02:40 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2011-06-14 02:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-06-14 02:35 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 22:29 . 2010-12-06 21:58 94208 ----a-w- c:\windows\TIRHService.exe

2011-05-02 15:31 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2008-04-25 16:16 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2008-04-25 16:16 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-19 39408]

"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2011-05-27 405816]

"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2011-06-20 368440]

"Push Client"="c:\documents and settings\maustin\Local Settings\Application Data\ATT Connect\Participant\pull.exe" [2009-09-17 935240]

"jRhcNYUJBNjYqGW"="c:\documents and settings\All Users\Application Data\jRhcNYUJBNjYqGW.exe" [bU]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-23 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-23 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-23 142872]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-04-04 2498560]

"CLIVFR"="c:\program files\Dell\Latitude ON Reader\CLIVFR.exe" [2009-06-11 238888]

"BIOSEvent"="c:\program files\Dell\Latitude ON Reader\BIOSEvent.exe" [2009-05-22 116008]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-01-31 115560]

"Boingo Wi-Finder"="c:\program files\Boingo\Boingo Wi-Finder\Boingo.lnk" [2011-07-08 2203]

"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2009-09-17 229376]

"DameWare MRC Agent"="c:\windows\dwrcs\DWRCST.exe" [2011-03-22 275328]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MRCNotify]

2011-03-22 19:30 53632 ----a-w- c:\windows\dwrcs\DWRCWXL.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Panasonic\\Wireless Manager ME4.5\\WM.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service

"6129:UDP"= 6129:UDP:DameWare Mini Remote Control Service

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/7/2011 12:57 PM 64512]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 7:00 AM 26624]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [4/19/2010 1:19 PM 86552]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 6:56 AM 133968]

R2 CLMonitor;CLMonitor;c:\program files\Dell\Latitude ON Reader\CLMonitorService.exe [5/22/2009 3:51 PM 120104]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [12/17/2009 11:45 AM 812448]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [12/17/2009 11:45 AM 27040]

R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [7/7/2011 6:29 PM 210944]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/4/2010 3:50 AM 112512]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [4/4/2010 3:50 AM 33832]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 7:00 AM 3712]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [4/4/2010 3:50 AM 240344]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 3:28 AM 105592]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [4/4/2010 3:50 AM 110080]

R3 mircap;mircap;c:\windows\system32\drivers\mircap.sys [10/6/2006 9:38 AM 4608]

R3 mtpaudio;Panasonic Projector Audio Device Driver;c:\windows\system32\drivers\mtpaudio.sys [10/6/2006 9:38 AM 12800]

R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [10/21/2009 2:27 PM 22600]

R3 seccap;seccap;c:\windows\system32\drivers\seccap.sys [10/6/2006 9:38 AM 5632]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [4/4/2010 1:07 AM 232744]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 2:22 PM 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151640]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/31/2011 11:47 AM 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 2:22 PM 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [6/20/2011 10:31 AM 15232]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

S3 PJDrv;PJDrv;c:\program files\Panasonic\Wireless Manager ME4.5\PJdrv.sys [10/6/2006 9:37 AM 8607]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [4/19/2010 1:18 PM 24876]

S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 5:55 PM 20504]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [3/31/2009 2:45 PM 190080]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 2:45 PM 190080]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [5/4/2009 3:57 PM 148096]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 3:57 PM 148096]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 11:19]

.

2011-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:22]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyServer = http=172.16.100.2:8080;https=172.16.100.2:8080;ftp=172.16.100.2:8080;gopher=172.16.100.2:8080;socks=172.16.100.2:8080

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

LSP: bmnet.dll

TCP: DhcpNameServer = 172.15.100.12 172.16.100.2 172.16.100.4

DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://172.15.100.113:85/MP4DVR.cab

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{56d1ace8-c2b6-4a67-9261-fed5c12e4a90} - (no file)

SafeBoot-Symantec Antvirus

AddRemove-TM Calendar_is1 - c:\documents and settings\maustin\Desktop\AddIns\TM Calendar\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-08 19:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1140)

c:\windows\dwrcs\DWRCWXL.dll

c:\windows\system32\bmnet.dll

.

- - - - - - - > 'lsass.exe'(1200)

c:\windows\system32\bmnet.dll

.

Completion time: 2011-07-08 19:22:32

ComboFix-quarantined-files.txt 2011-07-08 23:22

.

Pre-Run: 73,056,894,976 bytes free

Post-Run: 73,074,913,280 bytes free

.

- - End Of File - - B9FD2169C5B2C4F95258B46DAB5D2499

Link to post
Share on other sites

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

After extracting, TDSSKiller won't run. I tried double-clicking, right-click > Open, right-click Run As... logged on user, from command prompt, from command prompt with RunAs as another admin account. It shows for a split second in the Task Manager, but then immediately closes.

Link to post
Share on other sites

Those two files are harmless.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

The scan came out clean.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0c56f172f82c4b4a8efaeb131cd2d673

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-07-11 03:48:26

# local_time=2011-07-11 11:48:26 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=61793

# found=0

# cleaned=0

# scan_time=1625

Link to post
Share on other sites

I don't want to seem unappreciative, but I'm running out of time. If I can't clean this system, I need to wipe it and rebuild. Either way, I need to get it ready to overnight back to the user (who is my boss's boss, so there's no chance on stretching time). I hate to ask for a time estimate when I'm getting free help as I've always thought the only thing that should come out of my mouth is 'thank you for donating your help to me'. How many more 'things to try' do you have?

Link to post
Share on other sites

I guess I'm going to have to abandon this process. I'm very sorry. I was expecting to have at least 2 weeks to tackle this problem, but the boss is the boss. Thank you for trying. I've never gone through so many programs without getting results and I was interested to see what come next, and after that, and after that. Thank you for your help, though.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.