Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some kind of redirect malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 Yurchik

Yurchik

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 October 2009 - 01:09 PM

I cought some kind of redirect malware. WHen I click on a link in firefox or IE, different sites open, but not the one that I clicked.


DDS (Ver_09-09-29.01) - NTFSx86
Run by ymilman at 11:11:21.93 on Wed 10/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.2814.1443 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Rational\ClearCase\bin\albd_server.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\cccredmgr.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Punto Switcher\punto.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
C:\Documents and Settings\ymilman\My Documents\MyStuff\tools\Miranda IM zeleboba's pack\miranda32.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
T:\Endeavour\source\dcu\frontend\environment\bin\Debug\Datascope.Endeavour.DCU.vshost.exe
C:\Documents and Settings\ymilman\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\ymilman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://datascopemonitors.us/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\KUsrInit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\windows\system32\BhoDshop.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Punto Switcher] c:\program files\punto switcher\punto.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BbInstallUser] c:\program files\bluebeam software\pushbutton pdf\Bluebeam Admin User.exe
mRun: [BbPrintMonitor] c:\program files\common files\bluebeam software\brewery\v45\printer support\BBPrint.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program files\citi virtual account numbers\CitiVAN.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\progra~1\discover\soan\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196780278015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {591117D7-96F1-4242-AA16-A5D7EF7E221D} = 10.40.5.10,10.40.5.11
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ccnotify - ccnotify.dll
Notify: kwinhook - kwinhook.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ymilman\applic~1\mozilla\firefox\profiles\fquvwc0c.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\documents and settings\ymilman\application data\mozilla\firefox\profiles\fquvwc0c.default\extensions\{a2049def-a235-488f-878c-b41f8071fa9c}\components\BossKey.dll
FF - plugin: c:\documents and settings\ymilman\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ymilman\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2007-12-12 176186]
R2 KBOXManagementService;KBOX Management Service;c:\program files\kace\kbox\KBOXManagementService.exe [2009-6-18 49152]
R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\kace\kbox\KBOXSMMPService.exe [2009-6-18 991232]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2008-2-29 359976]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091006.005\NAVENG.sys [2009-10-6 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091006.005\NAVEX15.sys [2009-10-6 1323568]
S3 OnePointDomainAdminService;Active Directory Migration Agent;c:\windows\onepointdomainagent\DCTAgentService.exe [2008-9-4 39424]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-10-06 18:36 <DIR> --d----- c:\program files\Flat Solution Explorer
2009-10-06 16:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-06 16:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-05 18:21 <DIR> --d----- c:\docume~1\ymilman\applic~1\Malwarebytes
2009-10-05 18:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 18:21 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 18:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 18:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 18:16 <DIR> --d----- c:\program files\Trend Micro
2009-09-29 16:02 118 a------- c:\windows\system32\MRT.INI
2009-09-24 19:22 107 a------- c:\windows\IfoEdit.INI
2009-09-16 16:12 12,288 a------- C:\file

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-10 11:33 103,720 a------- c:\documents and settings\ymilman\GoToAssistDownloadHelper.exe
2009-02-09 10:09 60,744 a------- c:\documents and settings\ymilman\g2mdlhlpx.exe
2008-04-01 11:16 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 11:12:34.62 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 13:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA518B000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA004D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\catalog.wci\CiFLfffc.000
Status: Invisible to the Windows API!

Path: C:\System Volume Information\catalog.wci\CiFLfffc.001
Status: Invisible to the Windows API!

Path: C:\System Volume Information\catalog.wci\CiFLfffc.002
Status: Invisible to the Windows API!

Path: C:\System Volume Information\catalog.wci\00010001.ci
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\catalog.wci\00010001.dir
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\catalog.wci\CiFLfffd.000
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\catalog.wci\CiFLfffd.001
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\catalog.wci\CiFLfffd.002
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 1068) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: firefox.exe (PID: 3096) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: explorer.exe (PID: 5156) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: chrome.exe (PID: 3376) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: chrome.exe (PID: 3492) Address: 0x10000000 Size: 28672

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Yurchik

Yurchik
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 07 October 2009 - 01:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:01 PM, on 10/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rational\ClearCase\bin\albd_server.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cccredmgr.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Punto Switcher\punto.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ymilman\My Documents\MyStuff\tools\Miranda IM zeleboba's pack\miranda32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ymilman\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\clearfindco.exe
C:\Program Files\Rational\ClearCase\bin\clearfindco.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
C:\Program Files\Rational\ClearCase\bin\view_server.exe
O:\Endeavour\source\dcu\frontend\environment\bin\Debug\Datascope.Endeavour.DCU.vshost.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://datascopemonitors.us/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BbInstallUser] C:\Program Files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe
O4 - HKLM\..\Run: [BbPrintMonitor] C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\punto.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-337106648-3797342332-3473967069-3123\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'clearcase_albd')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - S-1-5-21-337106648-3797342332-3473967069-3123 Startup: Applications (User 'clearcase_albd')
O4 - S-1-5-21-337106648-3797342332-3473967069-3123 User Startup: Applications (User 'clearcase_albd')
O4 - .DEFAULT User Startup: Applications (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196780278015
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MRMONITORING.COM
O17 - HKLM\Software\..\Telephony: DomainName = MRMONITORING.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{591117D7-96F1-4242-AA16-A5D7EF7E221D}: NameServer = 10.40.5.10,10.40.5.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MRMONITORING.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mrmonitoring.com,datascope.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MRMONITORING.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mrmonitoring.com,datascope.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mrmonitoring.com,datascope.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ccnotify - C:\WINDOWS\SYSTEM32\ccnotify.dll
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinhook.dll
O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\albd_server.exe
O23 - Service: Rational Cred Manager (cccredmgr) - IBM Corporation - C:\WINDOWS\system32\cccredmgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KBOX Management Service (KBOXManagementService) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXManagementService.exe
O23 - Service: KBOX SMMP Management Service (KBOXSMMP) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
O23 - Service: IBM Rational Lock Manager (LockMgr) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10721 bytes

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:38 PM

Posted 23 October 2009 - 04:20 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:38 PM

Posted 27 October 2009 - 07:11 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users