Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Links Redirected


  • This topic is locked This topic is locked
2 replies to this topic

#1 dh1

dh1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 26 April 2008 - 09:40 AM

Hello, Everytime i use google or any other search tool and i click on a link i am redirected to various sites. It is not the same site every time.

Deckard's System Scanner v20071014.68
Run by cpsdhen on 2008-04-26 10:29:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
57: 2008-04-26 14:29:42 UTC - RP57 - Deckard's System Scanner Restore Point
56: 2008-04-25 20:13:14 UTC - RP56 - System Checkpoint
55: 2008-04-24 20:11:17 UTC - RP55 - System Checkpoint
54: 2008-04-23 19:19:09 UTC - RP54 - Installed Conductix Quick Quote
53: 2008-04-23 18:06:41 UTC - RP53 - System Checkpoint


-- First Restore Point --
1: 2008-02-01 07:07:00 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as cpsdhen.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:55 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\vuvmzmzi\judafobc.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Webroot\Client\SSU.EXE
C:\Documents and Settings\cpsdhen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cpsdhen.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyus.konecranes.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.64.*;http://citrixagent-na.konecranes.com;*.ame.konecranes.com;http://uskci-web01.konecranes.com;http://uskci-wsus.konecranes.com
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [fopszebw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fopszebw.dll"
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [zL5y5X66yV] C:\WINDOWS\rmrwzwps.exe
O4 - HKLM\..\Policies\Explorer\Run: [5y1k3X66yV] C:\Documents and Settings\All Users\Application Data\vuvmzmzi\judafobc.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe

--
End of file - 8239 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; McAfee Inc.; VirusScan>
R1 nipplpt2 (Novell iCapture Lpt Redirector 2) - c:\windows\system32\drivers\nipplpt.sys
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; McAfee, Inc; VirusScan>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 MSSysInterv1 (MSSysInterv) - c:\windows\winself.exe service
R2 SFUSVC - c:\program files\kyocera\fileutility\sfusvc.exe <Not Verified; KYOCERA MITA CORPORATION; SFUSVC Module>

S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 09:47:31 0 d-------- C:\Program Files\Trend Micro
2008-04-23 15:19:11 0 d-------- C:\Program Files\I8QQ
2008-04-22 09:01:16 0 d--h----- C:\WINDOWS\PIF
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\winlogonpc.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\taack.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\taack.dat
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\sncntr.exe
2008-04-22 07:33:53 0 d-------- C:\WINDOWS\system32\smp
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\psoft1.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\psof1.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\ps1.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\netode.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\mwin32.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\mtr2.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\msnbho.dll
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\msgp.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\medup020.dll
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\medup012.dll
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.dat
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\hoproxy.dll
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\system32\bsva-egihsg52.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-22 07:33:53 4096 --a------ C:\WINDOWS\a.bat
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\thun32.dll
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\thun.dll
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\temp#01.exe
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\ssvchost.exe
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\ssvchost.com
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\Rundl1.exe
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\regm64.dll
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\regc64.dll
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\msvchost.exe
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll
2008-04-22 07:33:52 4096 --a------ C:\WINDOWS\system32\dpcproxy.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\WINWGPX.EXE
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\vcatchpi.dll
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\vbsys2.dll
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\sysreq.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\newsd32.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\mssecu.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\emesx.dll
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\bdn.com
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\awtoolb.dll
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\anticipator.dll
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\system32\akttzn.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-22 07:33:51 4096 --a------ C:\WINDOWS\bdn.com
2008-04-22 07:33:41 106496 --a------ C:\WINDOWS\system32\hepipknk.exe
2008-04-22 07:33:41 0 d-------- C:\Documents and Settings\All Users\Application Data\vuvmzmzi
2008-04-22 07:33:36 0 d-------- C:\WINDOWS\PerfInfo
2008-04-22 07:33:36 0 d-------- C:\WINDOWS\ifdcvgis
2008-04-22 07:33:36 82432 --a------ C:\Documents and Settings\All Users\Application Data\fopszebw.dll
2008-04-22 07:33:33 177152 --a------ C:\WINDOWS\ojqhgdgd.dll
2008-04-22 07:33:31 82432 --a------ C:\WINDOWS\ezupitmr.dll
2008-04-13 20:35:14 31488 --a------ C:\WINDOWS\voiceip.dll
2008-04-13 20:35:14 9216 --a------ C:\WINDOWS\swin32.dll
2008-04-13 20:35:14 29184 --a------ C:\WINDOWS\cdsm32.dll
2008-04-13 20:35:14 14848 --a------ C:\WINDOWS\bokja.exe
2008-04-13 20:35:13 16128 --a------ C:\WINDOWS\mssvr.exe
2008-04-13 20:35:13 21760 --a------ C:\WINDOWS\mspphe.dll
2008-04-13 20:35:10 15872 --a------ C:\WINDOWS\saiemod.dll
2008-04-13 20:35:09 27136 --a------ C:\WINDOWS\msapasrc.dll
2008-04-13 20:35:09 14848 --a------ C:\WINDOWS\msa64chk.dll
2008-04-13 20:35:08 17152 --a------ C:\WINDOWS\shdocpl.dll
2008-04-13 20:35:07 27648 --a------ C:\WINDOWS\shdocpe.dll
2008-04-13 20:35:07 13056 --a------ C:\WINDOWS\ntnut.exe
2008-04-13 20:33:36 17408 --a------ C:\WINDOWS\winsb.dll
2008-04-13 20:33:36 11776 --a------ C:\WINDOWS\browserad.dll
2008-04-13 20:33:36 12288 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-13 20:33:36 12032 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-13 20:33:36 25344 --a------ C:\WINDOWS\avifile32.dll
2008-04-13 20:33:36 31488 --a------ C:\WINDOWS\autodisc32.dll
2008-04-13 20:33:35 20480 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-13 20:33:35 18432 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-13 20:33:35 24320 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-13 20:33:35 25088 --a------ C:\WINDOWS\athprxy32.dll
2008-04-13 20:33:35 27392 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-13 20:33:34 11520 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-13 20:33:34 29696 --a------ C:\WINDOWS\asferror32.dll
2008-04-13 20:33:34 29696 --a------ C:\WINDOWS\apphelp32.dll
2008-04-13 13:29:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-13 13:29:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-13 13:29:06 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-13 13:29:06 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-13 13:28:58 28160 --a------ C:\WINDOWS\winself.exe
2008-04-13 13:28:40 6656 --a------ C:\WINDOWS\ictions.dll
2008-04-11 23:22:28 6656 --a------ C:\WINDOWS\system32\000060.exe
2008-04-11 15:44:48 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-11 14:44:58 229526 --a------ C:\WINDOWS\system32\000080.exe
2008-03-27 07:34:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-27 07:34:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-27 07:34:47 0 d-------- C:\Documents and Settings\Default User\Application Data\Webroot


-- Find3M Report ---------------------------------------------------------------

2008-04-25 15:01:09 0 d-------- C:\Documents and Settings\cpsdhen\Application Data\OpenOffice.org2
2008-04-13 13:29:21 0 d-------- C:\Program Files\Common Files
2008-03-19 09:01:43 0 d-------- C:\Program Files\Webroot
2008-03-03 12:40:15 0 d-------- C:\Program Files\Microsoft Streets & Trips
2008-03-03 12:37:41 0 d-------- C:\Program Files\Microsoft Location Finder
2008-02-28 16:56:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-28 16:56:55 0 d-------- C:\Program Files\Kyocera
2008-02-18 17:09:23 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-02-18 17:09:23 290816 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 09:37 AM C:\WINDOWS\system32\nwtray.exe]
"WebrootClientUI"="C:\Program Files\Webroot\Client\SpySweeperUI.exe" [03/19/2008 05:33 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/14/2007 08:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 05:00 AM]
"StartCCC"="c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 01:35 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/05/2007 05:36 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 08:12 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 09:00 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [11/06/2007 05:34 PM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 10:48 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [04/04/2007 01:35 PM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [05/07/2007 12:31 PM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [05/07/2007 12:31 PM]
"fopszebw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\fopszebw.dll" []
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [05/01/2007 05:52 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [11/29/2005 5:16:14 PM]
Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe [2/28/2008 4:57:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"zL5y5X66yV"=C:\WINDOWS\rmrwzwps.exe
"5y1k3X66yV"=C:\Documents and Settings\All Users\Application Data\vuvmzmzi\judafobc.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7850c300-c481-11dc-9584-f9b6523bd877}]
AutoRun\command- F:\mri.exe




-- End of Deckard's System Scanner: finished at 2008-04-26 10:31:33 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7300 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7300 @ 2.00GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 1023.23 MiB / 520.57 MiB
Pagefile Memory (total/avail): 2460.01 MiB / 1740.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.06 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 60.55 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHW2080BJ G1 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Novell\\GroupWise\\grpwise.exe"="C:\\Novell\\GroupWise\\grpwise.exe:*:Enabled:Novell GroupWise"
"C:\\Novell\\GroupWise\\notify.exe"="C:\\Novell\\GroupWise\\notify.exe:*:Enabled:Novell Notify"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cpsdhen\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KONECRAN-585DF9
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\KONECRAN-585DF9
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;c:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\WINDOWS\system32\nls;C:\WINDOWS\system32\nls\ENGLISH
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cpsdhen\LOCALS~1\Temp
TMP=C:\DOCUME~1\cpsdhen\LOCALS~1\Temp
USERDOMAIN=KONECRAN-585DF9
USERNAME=cpsdhen
USERPROFILE=C:\Documents and Settings\cpsdhen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

cpsdhen (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
--> MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{EB4DF30B-102B-4F0C-927A-D50E037A325D}
Catalyst Control Center - Branding --> MsiExec.exe /I{3F93B2BA-18EC-462B-9ACD-396599353EE1}
ChainSystem_US --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://chainsystemus.kcigroup.com/kci_customizer/chainsystemus.jnlp"
Conductix Quick Quote --> MsiExec.exe /X{408EDB5C-B825-46D9-B0C0-5FB54ACD0F95}
CutePDF Printer Setup --> C:\WINDOWS\system32\UnCutePP.exe
Festoon Estimator --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\DOW\Festoon\ST6UNST.LOG"
Figure 8 Bar Estimate --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\DOW\Bar\ST6UNST.LOG"
GroupWise --> MsiExec.exe /I{A55A86B8-E8B1-45F5-8827-0AA7EAB62BB5}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Broadband Wireless Modules --> MsiExec.exe /X{E0742446-2B18-4204-8A46-DA70BB003318}
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
HP Quick Launch Buttons 6.40 B2 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
Intel® Active Management Technology Device Software --> C:\WINDOWS\system32\mesoludlg.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kyocera Scanner File Utility --> C:\Program Files\InstallShield Installation Information\{61C79AE1-5403-4687-AC68-28BFA5EF3895}\Setup.exe -runfromtemp -l0x0009 -removeonly
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
MetaFrame Presentation Server Client --> MsiExec.exe /I{DF1D5FEC-D67C-43C8-9230-41F5DF350196}
Microsoft English TTS Engine --> MsiExec.exe /I{94824ADD-8F26-43D2-84DB-22E11F377E5E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Streets & Trips 2007 --> MsiExec.exe /I{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
NMAS Challenge Response Method --> MsiExec.exe /X{B9A5A789-D491-49FB-958C-BFEC2C11BB1D}
NMAS Client --> MsiExec.exe /I{9B427732-573E-4E78-B6FA-AC3E5A218BA2}
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
Novell iPrint Client v04.28.00 --> C:\WINDOWS\system32\iprint\setupipp.exe /uninstall
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
RICOH R5C853 Driver Ver.1.00.02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpqZ3795\UIU32m.exe -U -IhpqZ3795.inf
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TTS Wrapper --> MsiExec.exe /I{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
Windows NT Messaging --> RunDll32 setupapi.dll,InstallHinfSection Uninstall 4 MSMail.inf


-- Application Event Log -------------------------------------------------------

Event Record #/Type12222 / Warning
Event Submitted/Written: 04/26/2008 10:31:23 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from KONECRAN-585DF9 IP 192.168.0.100 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type12221 / Warning
Event Submitted/Written: 04/26/2008 10:31:23 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from KONECRAN-585DF9 IP 192.168.0.100 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type12201 / Warning
Event Submitted/Written: 04/26/2008 09:47:26 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from KONECRAN-585DF9 IP 192.168.0.100 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type12184 / Warning
Event Submitted/Written: 04/26/2008 09:23:03 AM
Event ID/Source: 2001 / Intel® AMT
Event Description:
[UNS] Failed to get EAC Status.

Event Record #/Type12183 / Error
Event Submitted/Written: 04/26/2008 09:23:03 AM
Event ID/Source: 2002 / Intel® AMT
Event Description:
[UNS] Failed to subscribe to local Intel® AMT.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5808 / Warning
Event Submitted/Written: 04/26/2008 09:22:40 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001B38E6694C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5772 / Warning
Event Submitted/Written: 04/25/2008 10:54:10 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001B38E6694C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5742 / Warning
Event Submitted/Written: 04/25/2008 10:50:00 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001B38E6694C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5738 / Error
Event Submitted/Written: 04/25/2008 10:49:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5737 / Error
Event Submitted/Written: 04/25/2008 09:23:32 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-04-26 10:31:33 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:03 PM

Posted 26 April 2008 - 11:44 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:03 PM

Posted 19 May 2008 - 07:51 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users