Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know; another boring redirection problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 waldobleeping

waldobleeping

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 March 2011 - 05:38 PM

Ok, I am new around here. I got into a malware/trojan/virus jam the last couple of days. I run a network of about 6 computers which I keep pretty protected, but something slipped through. The computer that is giving me grief is displaying a search bar redirect (to Ask.com). A few days ago I Upgraded (?) to Exp 9, and I don't remember seeing the issue before then. I am running Win7.

Anyway, I ran a McAfee check, a StopZilla check, a MS malicious check, all found a bit of innocuous stuff, but the redirect continues. So I then, (without having first seen your prep instructions) ran ComboFix. It seemed to have run fine, but I am not sure what to do, if anything, based on info from the output text. After running it, the search redirect problem continues.

That is when I found your site. I was stunned to see how knowledgeable and helpful you were to others. Can you give me any guidance as to what to try next.

regards,

w


ComboFix 11-03-21.01 - Walt Weissman 03/21/2011 14:49:48.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3032.1853 [GMT -6:00]
Running from: c:\users\Walt Weissman\Desktop\ComboFix.exe
AV: McAfee® Total Protection™ for Small Business *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee® Total Protection™ for Small Business *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\swtools\APPS\CBED\CBE\ACTIVATION_104\_desktop.ini
c:\swtools\APPS\CBED\CBE\ACTIVATION_104\BIN\_desktop.ini
C:\Thumbs.db
c:\users\Walt Weissman\g2mdlhlpx.exe
c:\windows\ali.exe
c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
c:\windows\system32\spool\prtprocs\w32x86\hpcpp083.dll
c:\windows\system32\spool\prtprocs\w32x86\hpcpp5r1.DLL
c:\windows\system32\Thumbs.db
.
c:\windows\system32\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))
.
.
2011-03-21 21:04 . 2011-03-21 21:14 -------- d-----w- c:\users\Walt Weissman\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\windows\ServiceProfiles\NetworkService\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\windows\ServiceProfiles\LocalService\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\users\McAfeeMVSUser\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\users\McAfeeMVSUser.Laptop2\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-21 21:04 . 2011-03-21 21:04 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-03-21 20:46 . 2011-03-21 20:46 -------- d-----w- C:\32788R22FWJFW
2011-03-20 18:35 . 2011-03-20 18:35 -------- d-----w- c:\program files\STOPzilla!
2011-03-20 18:35 . 2011-03-20 18:35 -------- d-----w- c:\program files\Common Files\iS3
2011-03-20 18:35 . 2011-03-21 21:06 -------- d-----w- c:\programdata\STOPzilla!
2011-03-20 16:47 . 2011-03-20 16:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-03-20 16:47 . 2011-03-20 16:48 -------- d-----w- c:\program files\iTunes
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-03-20 16:46 . 2011-03-20 16:46 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-03-20 16:45 . 2011-03-20 16:46 -------- d-----w- c:\program files\QuickTime
2011-03-20 16:43 . 2011-03-20 16:43 -------- d-----w- c:\program files\Apple Software Update
2011-03-20 16:43 . 2011-03-20 16:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2011-03-20 16:42 . 2011-03-20 16:42 -------- d-----w- c:\program files\Bonjour
2011-03-19 15:26 . 2011-03-19 15:26 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-03-19 15:23 . 2011-03-19 15:23 283648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-19 15:23 . 2011-03-19 15:23 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-03-19 15:23 . 2011-03-19 15:23 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-03-17 23:37 . 2011-03-17 23:37 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-03-17 23:37 . 2011-03-17 23:37 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-03-17 23:37 . 2011-03-17 23:37 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-03-17 23:37 . 2011-03-17 23:37 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-03-17 23:37 . 2011-03-17 23:37 452048 ----a-r- c:\windows\system32\SZBase5.dll
2011-03-17 23:37 . 2011-03-17 23:37 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-03-17 23:37 . 2011-03-17 23:37 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-03-17 23:37 . 2011-03-17 23:37 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-03-17 23:37 . 2011-03-17 23:37 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-03-17 23:37 . 2011-03-17 23:37 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-03-17 23:37 . 2011-03-17 23:37 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-03-17 23:37 . 2011-03-17 23:37 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-03-09 05:43 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 05:43 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 05:43 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 05:43 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 05:42 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 05:42 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-02-25 13:58 . 2011-02-25 13:58 -------- d-----w- C:\dlfjja
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 22:36 . 2011-02-18 22:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-18 22:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-07 07:27 . 2011-02-09 18:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33 . 2011-02-09 18:13 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 03:37 . 2011-02-09 18:15 2329088 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\System32\msgsvc.dll
.
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\System32\mspmsnsv.dll
[-] 2005-01-28 21:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
[-] 2008-04-14 12:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\System32\ntmssvc.dll
.
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\System32\srsvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"ACTray"="c:\program files\Lenovo\Access Connections\ACTray.exe" [2010-09-18 431464]
"ACWLIcon"="c:\program files\Lenovo\Access Connections\ACWLIcon.exe" [2010-09-18 181608]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2010-09-18 31592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-13 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-13 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-13 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftwareSplashScreen]
c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-11-12 10:49 361632 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcWin7Hlpr]
2010-09-18 00:53 31592 ----a-w- c:\program files\Lenovo\Access Connections\AcTBenabler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 19:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 01:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 09:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 10:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2010-10-01 16:19 39816 ----a-w- c:\program files\Citrix\GoToMeeting\457\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus]
2009-05-28 06:09 49976 ----a-w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2009-08-04 03:00 358424 ----a-w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RotateImage]
2008-10-30 21:23 31744 ----a-w- c:\program files\RotateImage\RCIMGDIR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2009-11-19 20:45 307768 ------w- c:\program files\CONEXANT\SAII\SAIICpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-08-27 15:05 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2010-11-29 23:32 69560 ----a-w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-11-12 10:48 5106904 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R2 clr_optimization_v4.0.30128_32;Microsoft .NET Framework NGEN v4.0.30128_X86;c:\windows\Microsoft.NET\Framework\v4.0.30128\mscorsvw.exe [2010-01-28 130384]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-11-24 45496]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [x]
R3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\5U875.sys [2009-07-08 72320]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-10-21 106496]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-11-05 132456]
R3 JakNDis;Jaksta Service;c:\windows\system32\DRIVERS\JakNDis.sys [2010-10-26 28256]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-03-18 6758912]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-09-15 6000640]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-11-05 75112]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-09-24 1124848]
R3 RRNetCap;RRNetCap Service;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-08-02 31848]
R3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-04-16 237568]
R3 Spyder2;ColorVision Spyder2;c:\windows\system32\DRIVERS\Spyder2.sys [2007-01-17 12288]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1343400]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe [2010-01-28 738656]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-11-05 24304]
S0 MFX;MFX; [x]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-05-13 59280]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-02-02 911680]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2010-06-16 20592]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-02-02 2480048]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-10-21 1701112]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-10-21 98304]
S2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2009-12-15 14144]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2010-10-14 282824]
S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-12-15 345336]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [2008-12-02 61440]
S2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [2010-10-14 202048]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-08-27 92008]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2010-12-03 99328]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-12-02 64440]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-08-04 2058776]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-10-09 493248]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-02-02 160288]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-09-01 485376]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys [2010-10-26 28256]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-10-18 7122944]
S3 QCFilterlno;Lenovo USB Composite Device Filter Driver;c:\windows\system32\DRIVERS\qcfilterlno.sys [2009-12-15 7168]
S3 qcusbnetlno;Lenovo USB-NDIS miniport;c:\windows\system32\DRIVERS\qcusbnetlno.sys [2009-12-15 211456]
S3 qcusbserlno;Lenovo USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbserlno.sys [2009-12-15 111616]
S3 RRNetCapMP;RRNetCapMP;c:\windows\system32\DRIVERS\rrnetcap.sys [2010-08-02 31848]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-17 01:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-09 23:09]
.
2011-03-21 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-09 23:09]
.
2010-01-11 c:\windows\Tasks\User_Feed_Synchronization-{BE32CA26-9B2C-4F97-B310-5228E3A6C2C6}.job
- c:\windows\system32\msfeedssync.exe [2011-03-19 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cnn.com/
uInternet Settings,ProxyServer = http=148.63.201.177:9877;https=148.63.201.177:9877
uInternet Settings,ProxyOverride = <local>;*.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: {16A4933A-BF3A-4841-88D8-E50089DAF38D} = 148.78.249.200,148.78.249.201
TCP: {6B4AC5EB-4B8E-41FD-975A-55B85958669E} = 148.78.249.200,148.78.249.201
DPF: {15A7CF10-CB3E-4265-8779-9FD22619E8ED} - file:///C:/Program%20Files/Crestron/VtPro-e/Projects/Weissman/Xpanel/SnowyRange.xweb/XPanel.cab
DPF: {F74959B0-1779-472E-BE6E-3023E1DBEC73} - file:///C:/Program%20Files/Crestron/VtPro-e/Projects/Weissman/Xpanel/SnowyRange.xweb/XInit.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-AmazonGSDownloaderTray - c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
MSConfigStartUp-Apoint - c:\program files\Apoint2K\Apoint.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-CameraApplicationLauncher - c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
MSConfigStartUp-cssauth - c:\program files\Lenovo\Client Security Solution\cssauth.exe
MSConfigStartUp-DiscWizardMonitor - c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
MSConfigStartUp-StartUp This - c:\program files\Laplink\PCmover\LaunchSt.exe
AddRemove-M928366 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-Microsoft Interactive Training - c:\windows\orun32.isu
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3940)
c:\program files\PC-Doctor\ATLPcdToolbar571733.dll
c:\program files\Lenovo\Access Connections\ACDeskBand.dll
c:\program files\Lenovo\Access Connections\AcLocSettings.dll
c:\program files\Lenovo\Access Connections\AcCryptHlpr.dll
c:\program files\Lenovo\Access Connections\ACHelper.dll
c:\program files\Lenovo\Access Connections\AcSvcStub.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Retrospect\Retrospect Client\retroclient.exe
c:\program files\Lenovo\Access Connections\AcSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2011-03-21 15:18:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-21 21:18
.
Pre-Run: 10,335,535,104 bytes free
Post-Run: 10,011,447,296 bytes free
.
- - End Of File - - 002426DC9137F52EB07125F101606D12

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 26 March 2011 - 10:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 waldobleeping

waldobleeping
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 26 March 2011 - 11:37 AM

DR,

No apology necessary! You contribution to the "community" is amazing.

As for my problem, I have, perhaps with a bit of luck, been able to resolve it.

Thanks for the offer of help.

Best,

walt

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:36 PM

Posted 26 March 2011 - 12:03 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users