Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting search Virus help


  • This topic is locked This topic is locked
2 replies to this topic

#1 tr1180

tr1180

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 12 June 2010 - 03:51 PM

Hi and many thanks in advanced for the help. I have been getting this all week and would like some assistance removing this from my computer. Attached is my log for combo fix and for Hijack this.

Thanks for the help again!

ComboFix 10-06-11.01 - Teddy 06/12/2010 13:28:30.1.2 - x86
Running from: c:\documents and settings\Teddy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-10 19:36 . 2010-06-10 19:36 388096 ----a-r- c:\documents and settings\Teddy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-10 07:58 . 2010-06-10 07:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-08 05:32 . 2010-06-08 05:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-08 05:18 . 2010-06-10 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-08 04:45 . 2010-06-08 04:45 -------- d-----w- c:\documents and settings\Teddy\Application Data\Malwarebytes
2010-06-08 04:45 . 2010-06-08 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-05 19:23 . 2010-06-05 19:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-02 02:06 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-02 02:05 . 2010-06-02 02:05 479232 ----a-w- c:\windows\system32\config\systemprofile\NTUSER(2).DAT
2010-05-22 03:10 . 2010-05-22 03:10 503808 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-41cc4639-n\msvcp71.dll
2010-05-22 03:10 . 2010-05-22 03:10 61440 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66d4d1a3-n\decora-sse.dll
2010-05-22 03:10 . 2010-05-22 03:10 499712 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-41cc4639-n\jmc.dll
2010-05-22 03:10 . 2010-05-22 03:10 348160 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-41cc4639-n\msvcr71.dll
2010-05-22 03:10 . 2010-05-22 03:10 12800 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66d4d1a3-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 19:56 . 2009-07-01 10:32 -------- d-----w- c:\program files\LogMeIn
2010-06-10 08:11 . 2009-05-25 01:59 -------- d-----w- c:\program files\Common Files\Logishrd
2010-06-10 08:00 . 2009-07-01 10:33 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 08:00 . 2009-07-01 10:33 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 08:00 . 2009-07-01 10:33 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-10 07:57 . 2010-06-10 07:33 -------- d-----w- c:\program files\McAfee.com
2010-06-10 07:57 . 2010-06-10 07:33 -------- d-----w- c:\program files\Common Files\McAfee(3)
2010-06-10 07:57 . 2008-12-18 23:19 -------- d-----w- c:\program files\McAfee
2010-06-10 07:57 . 2008-12-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-10 07:57 . 2010-06-10 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-06-10 07:57 . 2010-06-10 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-10 07:57 . 2010-06-09 13:50 -------- d-----w- c:\program files\AVG
2010-06-10 07:54 . 2009-11-02 12:00 -------- d-----w- c:\program files\AIM
2010-06-10 07:54 . 2010-06-10 07:54 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-10 07:30 . 2010-06-10 05:08 -------- d-----w- c:\program files\Common Files\McAfee(2)
2010-06-10 07:30 . 2010-06-10 05:08 -------- d-----w- c:\program files\McAfee(2).com
2010-06-10 05:53 . 2010-06-10 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-09 19:29 . 2010-06-09 19:29 -------- d-----w- c:\program files\Trend Micro
2010-06-02 02:06 . 2009-12-14 09:34 -------- d-----w- c:\program files\Java
2010-05-18 00:02 . 2009-05-25 11:09 -------- d-----w- c:\program files\PokerStars
2010-05-13 10:04 . 2008-12-15 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-07 19:55 . 2010-05-07 19:55 255472 ----a-w- c:\documents and settings\Teddy\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 23:10 . 2009-05-29 09:51 -------- d-----w- c:\program files\PokerTracker 3
2010-04-02 06:48 . 2010-04-02 06:48 503808 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f212dbc-n\msvcp71.dll
2010-04-02 06:48 . 2010-04-02 06:48 499712 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f212dbc-n\jmc.dll
2010-04-02 06:48 . 2010-04-02 06:48 348160 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7f212dbc-n\msvcr71.dll
2010-04-02 06:48 . 2010-04-02 06:48 12800 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a970423-n\decora-d3d.dll
2010-04-02 06:48 . 2010-04-02 06:48 61440 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a970423-n\decora-sse.dll
2010-03-26 17:33 . 2010-04-01 12:33 1496064 ----a-w- c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 17:33 . 2010-04-01 12:33 43008 ----a-w- c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 17:33 . 2010-04-01 12:33 339456 ----a-w- c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 17:32 . 2010-04-01 12:33 346112 ----a-w- c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-15 14:59 . 2010-03-31 13:47 921888 ----a-w- c:\documents and settings\Teddy\Application Data\Sun\Java\JRERunOnce.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Teddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\System32\igfxpers.exe" [2008-02-28 137752]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-07 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 08:00 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Teddy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Teddy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2000-08-24 4300]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2008-12-19 10384]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-25 12856]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.sys [2008-01-15 30208]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [2008-09-23 238464]

.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-602609370-725345543-1003Core.job
- c:\documents and settings\Teddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 09:02]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-602609370-725345543-1003UA.job
- c:\documents and settings\Teddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 09:02]

2010-06-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Teddy\Application Data\Mozilla\Firefox\Profiles\nh44xxs5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Teddy\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Teddy\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
HKLM-Run-IObit Security 360 - c:\program files\IObit\IObit Security 360\IS360tray.exe
MSConfigStartUp-Keyboard Application - c:\program files\Keyboard Application\KBLED.exe
AddRemove-IObit Security 360_is1 - c:\program files\IObit\IObit Security 360\unins000.exe
AddRemove-MSC - c:\program files\McAfee\MSC\mcuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 13:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85482EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764ff28
\Driver\ACPI -> ACPI.sys @ 0xf75c2cb8
\Driver\atapi -> atapi.sys @ 0xf7554852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,a0,22,8f,ae,0e,f0,43,b2,ba,f0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,a0,22,8f,ae,0e,f0,43,b2,ba,f0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-06-12 13:44:39
ComboFix-quarantined-files.txt 2010-06-12 20:44

Pre-Run: 134,899,007,488 bytes free
Post-Run: 135,259,729,920 bytes free

- - End Of File - - 77529BB54E4E0EBE2631B3CC89DF8BA8


HiJack This Log


I do see that there are a few other topics like this. Must be that time of year. This problem for me, when I use google, redirects my searches to bogus search engines I've never heard of and random tabs pop up with these strange search sites. This is absolutely annoying and none of the trojan/virus removal products seem to pick it up. I've tried clocking my computer back two months and the virus is obviously lodged in somewhere in my files. I haven't tried reformatting, but that's my last resort.

This is my log from HijackThis:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:37:39 PM, on 6/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTas

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:02 PM

Posted 17 June 2010 - 07:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:02 PM

Posted 22 June 2010 - 07:13 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users