Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirected (JUMP) SDFIX report - Help please


  • Please log in to reply
2 replies to this topic

#1 translog

translog

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 22 December 2008 - 08:08 AM

Hello,

I have tried to eradicate the issue with my browser that is redirecting itself. I ran other antivirus software ( Spybot - Adware ) and finally took your advise in the forum and ran SDFIX in safe mode. Does not seem to have eliminated my issue. Could you view the report and suggest a plan of action. Thank you very much. Report below.

Thank you

Pierre

SDFix: Version 1.240
Run by Belinda on Sun 12/21/2008 at 08:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 21:38:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Belinda\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 5 Aug 2003 37,888 ...H. --- "C:\Documents and Settings\Belinda\My Documents\~WRL1450.tmp"
Tue 5 Aug 2003 35,328 ...H. --- "C:\Documents and Settings\Belinda\My Documents\~WRL1734.tmp"
Tue 5 Aug 2003 36,352 ...H. --- "C:\Documents and Settings\Belinda\My Documents\~WRL3462.tmp"
Thu 4 Aug 2005 32,256 A..H. --- "C:\Documents and Settings\Belinda\My Documents\2005 YEAR-END ACCOUNT REVIEWS\Copy of ~WRL3094.tmp"
Thu 4 Aug 2005 32,256 A..H. --- "C:\Documents and Settings\Belinda\My Documents\2005 YEAR-END ACCOUNT REVIEWS\Copy of ~WRL0197.tmp"
Thu 4 Aug 2005 24,064 A..H. --- "C:\Documents and Settings\Belinda\My Documents\2005 YEAR-END ACCOUNT REVIEWS\Copy of ~WRL2813.tmp"
Mon 30 Jun 2003 1,206 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Mon 30 Jun 2003 1,206 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Mon 30 Jun 2003 12,368 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 30 Jun 2003 12,368 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 3 Aug 2004 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe"

Finished!

BC AdBot (Login to Remove)

 


#2 translog

translog
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 22 December 2008 - 06:31 PM

Title was: Infected Browser redirects, Tried SDFIX could not remove ~ OB

Tried using SDFIX has not worked. Just did the RSIT Report posted below. Any help appreciated.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Belinda at 2008-12-22 18:26:44
Microsoft Windows XP Professional Service Pack 2
System drive C: has 1 GB (2%) free of 69 GB
Total RAM: 512 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:51 PM, on 12/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\SLadmin\SLadmin.exe
C:\Program Files\SLmail\slsmtp.exe
C:\WINDOWS\System32\svchost.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\SLmail\SLmail.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\TDxVGAUTIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Belinda\Desktop\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Belinda.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TDxVGAUTIL] C:\WINDOWS\system32\TDxVGAUTIL.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {FF452CFC-7056-4A5D-A327-1DFEC8EDC82A} (Upload Class) - http://www.neptune.com/features/upload/ms40upld.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{51165D6F-036B-4659-8DAA-359D4C632CBD}: NameServer = 85.255.114.109;85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{719F33D7-95AD-4831-A4F9-AD2DA95B371D}: NameServer = 85.255.114.109;85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{98AEB48B-26E9-40F1-A298-73FD1985D815}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109;85.255.112.153
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.109;85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109;85.255.112.153
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Seattle Lab Remote Administration (SLadmin) - BVRP Software - C:\Program Files\SLadmin\SLadmin.exe
O23 - Service: Seattle Lab POP3 Server (SLmail) - BVRP Software - C:\Program Files\SLmail\SLmail.exe
O23 - Service: Seattle Lab Smtp Server (slsmtp) - BVRP Software - C:\Program Files\SLmail\slsmtp.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 8331 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-05-05 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-22 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"=RunDll32 cmicnfg.cpl []
"WFXSwtch"=C:\PROGRA~1\WinFax\WFXSWTCH.exe [2002-07-29 27648]
"WinFaxAppPortStarter"=C:\WINDOWS\system32\wfxsnt40.exe [2002-07-29 45568]
"Norton Ghost 9.0"=C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe [2004-07-29 1122304]
"TDxVGAUTIL"=C:\WINDOWS\system32\TDxVGAUTIL.EXE [2007-08-01 237568]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-22 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-14 68856]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
MaxAlarm.lnk - C:\Program Files\Maximizer\MxAlarm.exe
MaxFinder.lnk - C:\Program Files\Maximizer\MxFinder.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Documents and Settings\Belinda\Start Menu\Programs\Startup
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ip6fw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ipnat]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=00000400

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-22 18:26:45 ----D---- C:\Program Files\trend micro
2008-12-22 18:26:44 ----D---- C:\rsit
2008-12-22 18:24:33 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-22 18:24:33 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-22 18:24:33 ----A---- C:\WINDOWS\system32\java.exe
2008-12-22 18:24:33 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-22 18:24:23 ----D---- C:\Program Files\Java
2008-12-22 18:23:45 ----D---- C:\Documents and Settings\Belinda\Application Data\Sun
2008-12-22 08:31:32 ----D---- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-12-22 08:31:28 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-12-22 08:31:28 ----A---- C:\WINDOWS\system32\LMIport.dll
2008-12-22 08:31:26 ----D---- C:\WINDOWS\LastGood
2008-12-22 08:31:23 ----A---- C:\WINDOWS\system32\LMIinit.dll
2008-12-22 08:31:15 ----D---- C:\Program Files\LogMeIn
2008-12-21 15:25:39 ----D---- C:\WINDOWS\ERUNT
2008-12-21 15:24:04 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-21 15:21:16 ----D---- C:\SDFix
2008-12-21 14:28:24 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-21 14:28:24 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 11:52:25 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-21 11:51:56 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-12 10:48:25 ----D---- C:\Program Files\Mozilla Firefox 3.1 Beta 2

======List of files/folders modified in the last 1 months======

2008-12-22 18:26:45 ----RD---- C:\Program Files
2008-12-22 18:24:34 ----D---- C:\WINDOWS\Temp
2008-12-22 18:24:33 ----D---- C:\WINDOWS\system32
2008-12-22 18:24:32 ----SHD---- C:\WINDOWS\Installer
2008-12-22 11:44:50 ----D---- C:\Program Files\Mozilla Firefox
2008-12-22 11:26:32 ----D---- C:\WINDOWS\Prefetch
2008-12-22 08:31:28 ----D---- C:\WINDOWS\system32\drivers
2008-12-22 08:31:26 ----HD---- C:\WINDOWS\inf
2008-12-22 08:31:26 ----D---- C:\WINDOWS
2008-12-22 08:31:24 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-22 08:25:11 ----A---- C:\WINDOWS\win.ini
2008-12-22 08:24:15 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-22 08:16:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-21 21:46:12 ----D---- C:\Documents and Settings
2008-12-21 14:48:49 ----A---- C:\WINDOWS\wininit.ini
2008-12-21 11:52:26 ----D---- C:\Program Files\Lavasoft
2008-12-21 11:51:56 ----D---- C:\Program Files\Common Files
2008-12-12 11:17:55 ----D---- C:\WINDOWS\Registration
2008-12-12 10:48:55 ----D---- C:\Documents and Settings\Belinda\Application Data\Mozilla

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 GearAspiWDM;GearAspiWDM; C:\WINDOWS\system32\drivers\GearAspiWDM.sys [2004-07-29 14384]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 PQIMount;PQIMount; C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 46779]
R2 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-08-14 17005]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 catchme;catchme; \??\C:\DOCUME~1\Belinda\LOCALS~1\Temp\catchme.sys []
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-06-25 818816]
R3 G400;G400; C:\WINDOWS\System32\DRIVERS\G400m.sys [2001-08-17 322432]
R3 HCF_MSFT;HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [2001-08-17 907456]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 msloop;Microsoft Loopback Adapter Driver; C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 4992]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 TdxMrMINI;TdxMrMINI; C:\WINDOWS\system32\DRIVERS\TdxMrMini.sys [2007-08-01 249600]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-03 48128]
S3 ASUSHWIO;ASUSHWIO; \??\C:\WINDOWS\system32\drivers\ASUSHWIO.sys []
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-03 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 cirrus;cirrus; C:\WINDOWS\System32\DRIVERS\cirrus.sys [2001-08-17 45696]
S3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\System32\DRIVERS\hphid411.sys [2002-11-22 50896]
S3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\System32\DRIVERS\hphipr11.sys [2002-11-22 16112]
S3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2002-11-22 18928]
S3 ga302nd5;NETGEAR GA302T Gigabit Adapter; C:\WINDOWS\System32\DRIVERS\ga302nd5.sys [2002-01-24 46405]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-03 51328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TdxVGAMINI;TdxVGAMINI; C:\WINDOWS\system32\DRIVERS\TdxVgaMini.sys [2007-08-01 252160]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2004-07-29 53248]
R2 IISADMIN;IIS Admin; C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-03 15872]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-22 152984]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-16 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]
R2 mcp;mcp; c:\opt\MBCASE\pm\bin\mcp []
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R2 Norton Ghost;Norton Ghost; C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe [2004-07-29 1269760]
R2 SLadmin;Seattle Lab Remote Administration; C:\Program Files\SLadmin\SLadmin.exe [2002-11-07 131141]
R2 SLmail;Seattle Lab POP3 Server; C:\Program Files\SLmail\SLmail.exe [2003-02-25 348238]
R2 slsmtp;Seattle Lab Smtp Server; C:\Program Files\SLmail\slsmtp.exe [2002-10-17 45145]
R2 TransBaseService;TransBaseService; c:\opt\MBCASE\WIS\TBCD\tbmux32.exe [2003-11-07 165376]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-03 15872]
R2 wfxsvc;WinFax PRO; C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 129536]
R3 konfig;konfig; c:\opt\MBCASE\pm\bin\mcp []
R3 license;license; c:\opt\MBCASE\pm\bin\mcp []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-20 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-05 138168]
S3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\System32\HPHipm11.exe [2002-11-22 77824]

-----------------EOF-----------------

Edited by Orange Blossom, 22 December 2008 - 09:30 PM.
Merged topics. ~ OB


#3 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 30 December 2008 - 07:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.
Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users