Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue IE background processes


  • This topic is locked This topic is locked
2 replies to this topic

#1 808

808

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:02:15 PM

Posted 04 December 2010 - 01:44 PM

Hi,

I've searched the forums for the problem I'm experiencing, but have not found a solution. Two days ago, my computer caught the Disk Doctor virus:

http://www.bleepingcomputer.com/virus-removal/remove-disk-doctor

Although it appears the disk doctor problem went away (I ran a few different tools including MalwareBytes), it left a pair of hidden iexplore.exe processes running in the background that try to download audio from websites. Ive been able to identify them through the IE History and modified my /etc/hosts to loopback to localhost (and therefore prevent these annoying audio streams from playing every couple minutes). My etc/hosts file looks something like this:

127.0.0.1 localhost

#iexplore nasties - DEC 2010
127.0.0.1 www.aheadx.com
127.0.0.1 www.clickleg.org
127.0.0.1 www.clickpacket.org
127.0.0.1 discoversearchfind.net
127.0.0.1 clickpayz10.91452.information-seeking.com

From what I can tell, the host process is using

C:\Documents and Settings\<User>\Local Settings\temp

to write files of the form ~DFxxxx.tmp where xxxx is alphanumeric randomness. When I manually kill the iexplore.exe processes in Task Manager, the .tmp files disappear, but then reappear a few seconds later with new iexplore.exe processes created under my username. Ive tried to copy/zip/open the .tmp files without success. I was hoping to view the contents so that I could get more ideas of how to permanently remove the processes. From what I can tell, each new instantiation changes the default browser back to Internet Explorer too.

Ive tried various applications to disinfect my PC including Ad-Aware, ComboFix, MalwareBytes (v1.50 db5243), Rkill, Spybot (v1.6.2.46), and SUPERAntiSpyware (v4.46.0.1000) along with ATF-Cleaner, CCleaner, and TFC to clear out cookies and temp files. Granted I may be doing them in the wrong order, but Im very surprised that Rkill finds no process to stop and neither Combofix nor MalwareBytes finds anything to remove. Ive downloaded RootRepeal and HijackThis, but cannot get RootRepeal to run am uncertain what to do with the output from HJT.

Can someone help or point me in the right direction? Thanks!

ComboFix log...


ComboFix 10-12-04.01 - <USER> 12/04/2010 19:40:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1261 [GMT -6:00]
Running from: c:\documents and settings\<USER>\My Documents\downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-04 19:36 . 2010-12-04 19:36 -------- d-----w- c:\program files\ESET
2010-12-04 17:36 . 2010-11-10 02:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04727C48-6229-4015-82CE-FF3F817F20A1}\mpengine.dll
2010-12-04 17:33 . 2010-12-04 17:33 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-04 16:51 . 2010-12-04 16:51 192 ---ha-w- C:\aaw7boot.cmd
2010-12-04 15:18 . 2010-12-04 15:18 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-04 15:16 . 2010-12-04 15:16 -------- d-----w- c:\documents and settings\<USER>\Local Settings\Application Data\Sunbelt Software
2010-12-04 15:08 . 2010-12-04 15:08 -------- d-----w- c:\program files\Common Files\Java
2010-12-04 15:08 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-04 15:08 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-04 14:17 . 2010-12-04 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-12-04 14:17 . 2010-12-04 14:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-12-04 14:10 . 2010-12-04 14:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-12-04 14:01 . 2010-12-04 14:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-04 13:44 . 2010-12-04 13:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-04 13:39 . 2010-12-05 01:06 -------- d-----w- C:\MGtools
2010-12-04 13:35 . 2010-12-04 13:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-12-04 13:32 . 2010-12-04 13:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-12-04 02:55 . 2010-12-04 02:55 -------- d-----w- c:\documents and settings\<USER>\Application Data\SUPERAntiSpyware.com
2010-12-04 01:48 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4C9861BD-7168-445E-B29F-AC3C35356D40}\mpengine.dll
2010-12-04 01:47 . 2010-12-04 01:47 388096 ----a-r- c:\documents and settings\<USER>\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-03 12:22 . 2010-12-03 12:22 -------- d-----w- c:\documents and settings\<USER>\Application Data\AVG10
2010-12-03 12:20 . 2010-12-03 12:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-03 12:18 . 2010-12-03 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-03 12:17 . 2010-12-03 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-03 04:09 . 2010-12-03 04:09 -------- d-----w- C:\Rooter$
2010-12-03 01:28 . 2010-12-03 01:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-12-03 01:28 . 2010-12-03 01:28 53248 ----a-w- c:\windows\system32\drivers\sst370.sys
2010-11-13 18:36 . 2010-11-13 18:36 -------- d-----w- c:\program files\iPod
2010-11-13 18:36 . 2010-11-13 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-05 01:06 . 2010-12-04 13:39 166556 ----a-w- C:\MGlogs.zip
2010-11-29 23:42 . 2009-02-13 18:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2009-02-13 18:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 04:33 . 2009-02-18 19:02 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2009-10-03 13:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-18 17:23 . 1980-01-01 07:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 1980-01-01 07:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 1980-01-01 07:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 1980-01-01 07:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 08:29 . 2009-12-05 17:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 1980-01-01 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 1980-01-01 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 17:17 . 2010-09-08 17:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 17:17 . 2010-09-08 17:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\bak\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-06-28 00:42 . 2007-05-11 03:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe
2008-02-07 20:00 . 2009-12-18 08:38 624056 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

1980-01-01 07:00 . 2005-12-15 21:19 925696 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2006-06-23 20:49 . 2005-05-06 21:06 716800 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe

2007-03-20 21:40 . 2007-03-20 21:40 1884160 c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\bak\VERSIO~2.EXE

2004-07-27 23:50 . 2004-07-27 23:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2004-07-27 22:50 . 2004-07-27 22:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2004-07-27 23:50 . 2004-07-27 23:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
2004-07-27 22:50 . 2004-07-27 22:50 221184 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2007-07-04 01:49 . 2007-07-04 01:49 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-07-11 13:23 . 2006-07-11 13:23 1174528 c:\program files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe
2007-09-25 16:33 . 2007-09-25 16:33 1195008 c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

2005-11-29 17:55 . 2005-11-29 17:55 196696 c:\program files\Diskeeper Corporation\Diskeeper\bak\DkIcon.exe
2005-11-29 16:55 . 2005-11-29 16:55 196696 c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

2007-06-14 16:23 . 2007-06-14 16:23 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2005-12-22 01:08 . 2005-12-22 01:08 1996336 c:\program files\IBM ThinkVantage\Client Security Solution\bak\cssauth.exe

2005-11-15 20:13 . 2005-11-15 20:13 49152 c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\bak\pdservice.exe

2007-07-31 23:44 . 2007-07-31 23:44 271672 c:\program files\iTunes\bak\iTunesHelper.exe
2010-11-11 06:40 . 2010-11-11 06:40 421160 c:\program files\iTunes\iTunesHelper.exe

1980-01-01 07:00 . 2006-03-09 23:14 94208 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe

2005-12-04 21:39 . 2005-12-04 21:39 461584 c:\program files\Microsoft IntelliPoint\bak\ipoint.exe
2005-12-04 22:39 . 2005-12-04 22:39 461584 c:\program files\Microsoft IntelliPoint\ipoint.exe

2005-12-04 21:38 . 2005-12-04 21:38 437008 c:\program files\Microsoft IntelliType Pro\bak\itype.exe
2005-12-04 22:38 . 2005-12-04 22:38 437008 c:\program files\Microsoft IntelliType Pro\itype.exe

2007-01-19 18:54 . 2007-01-19 18:54 5674352 c:\program files\MSN Messenger\bak\MsnMsgr.Exe

2007-06-29 11:24 . 2007-06-29 11:24 286720 c:\program files\QuickTime\bak\qttask.exe
2010-09-08 17:17 . 2010-09-08 17:17 421888 c:\program files\QuickTime\QTTask.exe

1980-01-01 07:00 . 2005-09-15 20:57 512000 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
1980-01-01 07:00 . 2008-07-04 04:10 1323008 c:\program files\Synaptics\SynTP\SynTPEnh.exe

1980-01-01 07:00 . 2005-09-15 20:57 110592 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe
1980-01-01 07:00 . 2008-07-04 04:17 118784 c:\program files\Synaptics\SynTP\SynTPLpr.exe

2006-06-23 21:11 . 2006-04-17 20:09 409600 c:\program files\ThinkPad\ConnectUtilities\bak\ACTray.exe
2008-01-13 23:20 . 2008-08-16 03:40 425984 c:\program files\ThinkPad\ConnectUtilities\ACTray.exe

2006-06-23 21:11 . 2006-04-17 19:59 98304 c:\program files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe
2008-01-13 23:20 . 2008-08-16 03:36 143360 c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

2006-06-23 20:49 . 2005-11-17 09:22 237568 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
2008-01-13 23:19 . 2007-04-27 08:33 243248 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

2006-06-23 20:43 . 2005-10-29 02:04 864256 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe
2008-01-13 23:40 . 2007-01-09 22:28 868352 c:\program files\ThinkPad\Utilities\TpKmapAp.exe

2006-06-23 20:57 . 2006-01-25 08:03 106496 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe
2008-01-13 23:10 . 2008-06-09 09:00 165208 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE

2006-07-11 13:24 . 2006-07-11 13:24 341504 c:\program files\TiVo\Desktop\bak\TiVoNotify.exe
2007-09-25 16:34 . 2007-09-25 16:34 384000 c:\program files\TiVo\Desktop\TiVoNotify.exe

2006-07-11 13:26 . 2006-07-11 13:26 1313792 c:\program files\TiVo\Desktop\bak\TiVoServer.exe
2007-09-25 16:35 . 2007-09-25 16:35 1495040 c:\program files\TiVo\Desktop\TiVoServer.exe

1980-01-01 07:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe

2006-11-09 23:02 . 2004-09-10 02:16 53248 c:\windows\system32\bak\DrvMon.exe

2006-06-23 20:58 . 2005-08-01 12:10 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\<USER>\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 21:54 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 22:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 21:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^<USER>^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-18 08:38 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-24 22:41 136176 ----atw- c:\documents and settings\<USER>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 06:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-09 09:00 124248 ------w- c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 20:15 13351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre6\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TivoBeacon2"=2 (0x2)
"matlabserver"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\<USER>\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [11/26/2008 11:27 AM 94208]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 2:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 5:45 PM 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [8/14/2007 3:46 PM 10896]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/4/2010 8:51 PM 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/4/2010 8:51 PM 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/4/2010 8:51 PM 19408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 5:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 4:42 PM 73600]
S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [9/25/2007 10:33 AM 867328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3009057938-3810653069-2728514440-1005Core.job
- c:\documents and settings\<USER>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-24 22:41]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3009057938-3810653069-2728514440-1005UA.job
- c:\documents and settings\<USER>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-24 22:41]

2010-12-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]

2010-12-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-06-23 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/<USER>/My%20Documents/website/bk.net/links/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &GET... - c:\nat32\htm\script3.htm
IE: &RAW... - c:\nat32\htm\script2.htm
IE: &Similar pages... - c:\nat32\htm\script.htm
IE: &URL... - c:\nat32\htm\script1.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\<USER>\Application Data\Mozilla\Firefox\Profiles\t3a6omek.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/<USER>/My%20Documents/website/bk.net/links/index.html
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\documents and settings\<USER>\Application Data\Mozilla\Firefox\Profiles\t3a6omek.default\extensions\firebug@software.joehewitt.com
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\<USER>\Application Data\Mozilla\Firefox\Profiles\t3a6omek.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\<USER>\Application Data\Mozilla\Firefox\Profiles\t3a6omek.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\<USER>\Application Data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 20:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3009057938-3810653069-2728514440-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0EAF8A-021D-4919-44FC-5E7236E6E3A6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaflndobpphdedheipnibflfiaaijm"=hex:6a,61,62,66,63,64,65,64,63,64,6b,64,6d,62,
63,6c,6b,61,67,6f,00,bf
"nalkddkodajgfpkamkcljpcoflfg"=hex:6a,61,62,66,63,64,65,64,63,64,6b,64,6d,62,
63,6c,6b,61,67,6f,00,bf

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f5,b3,10,b3,d8,82,20,e8,54,03,ea,71,80,a5,83,fd,2c,30,53,9d,85,
8f,be,bc,bb,cb,64,f1,ac,9b,7c,4b,37,a0,dc,7a,e7,88,b0,71,19,6e,8c,23,79,f8,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f5,b3,10,b3,d8,82,20,e8,54,03,ea,71,80,a5,83,fd,2c,30,53,9d,85,
8f,be,bc,bb,cb,64,f1,ac,9b,7c,4b,37,a0,dc,7a,e7,88,b0,71,19,6e,8c,23,79,f8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

- - - - - - - > 'explorer.exe'(5368)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-12-04 20:21:52
ComboFix-quarantined-files.txt 2010-12-05 02:21
ComboFix2.txt 2010-12-04 04:30
ComboFix3.txt 2010-12-04 00:46
ComboFix4.txt 2009-05-13 16:01
ComboFix5.txt 2010-12-05 01:35

Pre-Run: 7,419,928,576 bytes free
Post-Run: 7,406,080,000 bytes free

- - End Of File - - 460DBF9037654E3869D66F20B135F9C1

Discovered something new this morning... I'm not a big IE user, but I've noticed that when I go to a new page in IE8, there is a popup window that now surfaces. It does it on bleepingcomputer.com too, so I'm fairly certain this is not legitimate. The shortcuts look like this:

http://findinle.org/go.php?id=49760ecf486d5c66645eb9931c37a64b&aid=5&said=popunder&nolimit=1098379
http://findinle.org/go.php?id=94d4c18dfff2e8b45eaed49ca013cac4&aid=5&said=popunder&nolimit=1100647

Has anyone seen this or have ideas if this is related?



HijackThis Log run this morning from Safe Mode...
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:43:52 AM, on 12/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/<USER>/My%20Documents/website/bk.net/links/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: CCC.lnk = ?
O8 - Extra context menu item: &GET... - C:\NAT32\htm\script3.htm
O8 - Extra context menu item: &RAW... - C:\NAT32\htm\script2.htm
O8 - Extra context menu item: &Similar pages... - C:\NAT32\htm\script.htm
O8 - Extra context menu item: &URL... - C:\NAT32\htm\script1.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.ifbf.net/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220231730453
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 12268 bytes

EDIT: Posts merged ~BP

TDSSKiller.exe seems to have fixed the problem. Running a few more scans to be sure.

One more question -

Based on the domain that was trying to get my redirects, I did a whois lookup and see the domain is registered to someone in Wisconsin. Does anyone (Internet Police Force) follow-up and check to see whether the person is knowingly pursuing hate crimes against humanity? Seems like he's just trying to make ad revenue with underhanded methods!

EDIT: Posts merged ~BP

Edited by Budapest, 05 December 2010 - 07:50 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:15 PM

Posted 11 December 2010 - 05:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 16 December 2010 - 10:49 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users