Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads and unable to view removal sites


  • This topic is locked This topic is locked
6 replies to this topic

#1 FFXGuy

FFXGuy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 26 June 2010 - 12:17 PM

Please Help. My computer appears to have been hijacked, I get advertisements and when I try different removal tools i am unable to get to their sites. Even if I get the files on there the app cannot download the definitions. I have run the two tools requested before requesting help. I had to run GMER in safe mode because it kept blue screening each time i ran it normally. I think what is needed to review is below. GMER was so big i had to attach it, DDS is below. Thanks.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 10:04:36.90 on Sat 06/26/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.448 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CACI\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\IBM\SDP70Shared\AgentController\bin\ACWinService.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect to CACI\iPCAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\IBM\SDP70Shared\AgentController\bin\tptpProcessController.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\LANDesk\LDCLient\webportal\sdclientmonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPass\iPassConnect to CACI\downloader\ipccheck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Microsoft Internet Explorer provided by CIS of CACI, Inc. - Federal
uStart Page = hxxp://www.hq.caci.com
mDefault_Page_URL = hxxp://www.hq.caci.com
mStart Page = hxxp://www.hq.caci.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IERationalEnabler Class: {1e9fb1c4-f40b-4e10-898e-d6209b122f6b} - c:\program files\ibm\sdp70\functionaltester\bin\RTXIEEnabler.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\Toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TimesheetReminder] c:\grates\TimesheetReminder.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [RoboPDF] c:\windows\system32\spool\drivers\w32x86\2\RPDFLchr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\caci_i~1.lnk - c:\program files\caci\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://fairfaxnotescluster.caci.com/iNotes6W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://bpminstituteevents.webex.com/client/T23L/event/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.caci.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F80B9305-A013-11D2-BD23-00A024978908} - file:///D:/viewer/accuradimage.cab
TCP: NameServer = 93.188.162.68,93.188.161.208
TCP: {8DBD7F98-85A8-4C9D-A40B-A768717E6F41} = 93.188.162.68,93.188.161.208
TCP: {BA27BAFD-4F6A-40E8-BB60-FA449F6EB49B} = 93.188.162.68,93.188.161.208
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 IBM Rational Agent Controller;IBM Rational Agent Controller;c:\program files\ibm\sdp70shared\agentcontroller\bin\ACWinService.exe [2008-10-27 69632]
R2 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect to caci\iPCAgent.exe [2006-9-22 90112]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-1-27 54608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-12 24652]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2005-9-14 9176]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-4-14 80384]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2006-5-29 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2006-5-29 3328]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-10-8 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-10-8 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-10-8 177864]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2006-5-29 3712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-18 135664]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\softmon.exe [2006-5-29 263680]
S3 PatchLink Install;PatchLink Install;c:\windows\patchlnk\dplywzrd\PLInstSv.exe [2006-2-7 40960]
S3 PHKFZJB;PHKFZJB;c:\docume~1\admini~1\locals~1\temp\PHKFZJB.exe [2010-6-26 478080]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-7 280344]
S4 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2006-11-21 122880]

=============== Created Last 30 ================

2010-06-26 02:21:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 00:55:13 45056 ----a-w- c:\windows\system32\ernel32.dll
2010-06-26 00:54:24 45056 ----a-w- c:\docume~1\admini~1\applic~1\4bd2a617.exe
2010-06-26 00:44:38 0 d-----w- C:\CertifyMe

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 10:08:22.59 ===============

Attached Files

  • Attached File  GMER.txt   340.01KB   6 downloads


BC AdBot (Login to Remove)

 


#2 FFXGuy

FFXGuy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 26 June 2010 - 06:09 PM

Noticed you guys are running on a 6 day lead time, so I researched a bit on this site for similar symptoms and decided to run combofix myself. Honestly this computer is not that important and I would rather re-format than wait 6 more days. I have pasted the combofix log below, and will do some scanning to be sure everything is gone. If and when you get to this if you want me to so anything in addition for research purposes please let me know. Thanks,

ComboFix 10-06-26.02 - Administrator 06/26/2010 18:35:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.299 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\AntiSpy\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\4bd2a617.exe
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\1a9317.dll
c:\windows\system32\spool\prtprocs\w32x86\1iQ3wS.dll
c:\windows\system32\spool\prtprocs\w32x86\31yW31y9.dll
c:\windows\system32\spool\prtprocs\w32x86\3cE93k79.dll
c:\windows\system32\spool\prtprocs\w32x86\55k5y.dll
c:\windows\system32\spool\prtprocs\w32x86\5s555.dll
c:\windows\system32\spool\prtprocs\w32x86\cE9aAA.dll
c:\windows\system32\spool\prtprocs\w32x86\kUOCE.dll
c:\windows\system32\spool\prtprocs\w32x86\mYW9uO79.dll
c:\windows\system32\spool\prtprocs\w32x86\mYWS5.dll
c:\windows\system32\spool\prtprocs\w32x86\QG7iQGM9.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-26 18:15 . 2010-06-26 18:15 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-06-26 18:14 . 2010-06-26 18:14 -------- d-----w- c:\program files\MSSOAP
2010-06-26 18:14 . 2009-11-06 19:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-06-26 18:14 . 2010-06-26 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-06-26 18:14 . 2010-06-26 18:14 -------- d-----w- c:\program files\Webroot
2010-06-26 18:14 . 2010-06-26 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-06-26 02:21 . 2010-06-26 02:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 00:44 . 2010-06-26 00:55 -------- d-----w- C:\CertifyMe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 18:15 . 2010-06-26 18:15 775168 ----a-w- c:\windows\isRS-000.tmp
2010-06-26 11:54 . 2006-05-29 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-06-26 02:21 . 2006-09-21 14:59 -------- d-----w- c:\program files\Java
2010-06-26 02:09 . 2009-12-24 01:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\1-Step RoboPDF
2010-06-26 01:06 . 2010-02-19 03:56 -------- d-----w- c:\program files\Visual CertExam Suite
2010-06-20 11:50 . 2010-04-02 18:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-23 15:12 . 2010-05-23 15:12 666112 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
2010-05-23 15:11 . 2010-05-23 15:11 319488 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-05-22 01:13 . 2010-05-22 01:13 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad0bb80-n\msvcp71.dll
2010-05-22 01:13 . 2010-05-22 01:13 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad0bb80-n\msvcr71.dll
2010-05-22 01:13 . 2010-05-22 01:13 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad0bb80-n\jmc.dll
2010-05-22 01:13 . 2010-05-22 01:13 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3696c477-n\decora-sse.dll
2010-05-22 01:13 . 2010-05-22 01:13 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3696c477-n\decora-d3d.dll
2010-05-18 15:47 . 2006-11-27 00:50 -------- d-----w- c:\program files\Google
2010-05-18 12:38 . 2010-05-18 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2010-05-18 12:35 . 2006-09-05 16:43 5271373 ----a-w- c:\documents and settings\All Users\Application Data\Network Associates\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2010-05-18 12:10 . 2010-05-18 12:10 -------- d-----w- c:\program files\Microsoft
2010-05-04 17:20 . 2004-01-08 19:23 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2001-08-23 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-27 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"SDClientMonitor"="c:\program files\LANDesk\LDCLient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"RoboPDF"="c:\windows\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe" [2004-01-08 108032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-08 282624]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2009-09-25 136512]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-10-08 155648]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-10-08 126976]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CACI, Inc. VPN Client.lnk - c:\program files\CACI\VPN Client\vpngui.exe [2008-7-7 1385400]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-1957994488-76424323-99891\Scripts\Logon\0\0]
"Script"=encryptmydocs.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-1957994488-76424323-99891\Scripts\Logon\1\0]
"Script"=ePO_installer_GPO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-1957994488-76424323-99891\Scripts\Logon\2\0]
"Script"=tc-remind.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\IBM\\SDP70\\jdk\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"500:UDP"= 500:UDP:CACIVPN
"62515:UDP"= 62515:UDP:CACIVPN
"10000:TCP"= 10000:TCP:CACIVPN

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect to CACI\iPCAgent.exe [9/22/2006 12:43 PM 90112]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/12/2007 8:12 AM 24652]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [9/14/2005 11:10 AM 9176]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/26/2010 2:15 PM 1201640]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/14/2005 9:20 AM 80384]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [5/29/2006 6:29 PM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [5/29/2006 6:29 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [5/29/2006 6:29 PM 3712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2010 11:47 AM 135664]
S2 IBM Rational Agent Controller;IBM Rational Agent Controller;c:\program files\IBM\SDP70Shared\AgentController\bin\ACWinService.exe [10/27/2008 9:18 PM 69632]
S2 Softmon;LANDeskŪ Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [5/29/2006 6:29 PM 263680]
S3 PatchLink Install;PatchLink Install;c:\windows\PatchLnk\DplyWzrd\PLInstSv.exe [2/7/2006 12:33 PM 40960]
S3 PHKFZJB;PHKFZJB;c:\docume~1\ADMINI~1\LOCALS~1\Temp\PHKFZJB.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\PHKFZJB.exe [?]
S4 CBA8;LANDeskŪ Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [11/21/2006 2:03 PM 122880]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSFS0BBC
*NewlyCreated* - SSHRMD
*NewlyCreated* - SSIDRV
*NewlyCreated* - WEBROOTSPYSWEEPERSERVICE
*NewlyCreated* - WRCONSUMERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-18 15:47]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-18 15:47]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4159782051-582103443-173008773-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 00:17]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4159782051-582103443-173008773-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 00:17]

2010-06-26 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]

2010-06-26 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.hq.caci.com
mStart Page = hxxp://www.hq.caci.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TimesheetReminder - c:\grates\TimesheetReminder.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1248)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-06-26 18:58:55
ComboFix-quarantined-files.txt 2010-06-26 22:58

Pre-Run: 31,169,765,376 bytes free
Post-Run: 34,751,987,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 98A4A52068FFFC6481FC2964A037459D

Edited by hamluis, 01 July 2010 - 03:42 PM.
Emphasized OP Comment Re Formatting ~ Hamluis.


#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 01 July 2010 - 05:14 PM

Hello.

Sorry for the delay. There were definate signs of infection. If reformatting is an options, I suggest you take it.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.

For your next reply please include:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
The Panda


#4 FFXGuy

FFXGuy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 06 July 2010 - 11:21 AM

I was able to clean a lot of this up myself. Yet I was still getting browser re-direction. I noticed the same http:// entry on google "results5.google.com" which seemed fishy to me. After researching this further I found that my linksys router had been hijacked, and the DNS servers were changed to point to some place in the Russian Federation (IP's were 213.109.65.65 and 213.109.73.7). I strongly recommend you share with everyone that folks should reset their personal router to default settings and reset the password if you see this problem. DO NOT store the password in the browser or leave it as default. Hope this helps someone. I will post my logs here in a few days to be sure things are clean. Thanks.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 06 July 2010 - 11:36 AM

Hello.

Sounds good. Hear from you later then.

With Regards,
The Panda

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:35 PM

Posted 18 July 2010 - 11:22 AM

Still with us?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:35 PM

Posted 20 July 2010 - 11:02 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users