Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All search engines redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 chiefs13

chiefs13

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 22 April 2011 - 01:27 AM

Hello,
I have XP with SP3. I have a redirect going on with all search engines in both IE and Firefox. Any link clicked in a search engine will redirect. I have CA Internet Security installed, I also ran a scan with Malwarebytes' anti malware, neither one removed or recognized the redirect. I also ran TDSSKILLER, and it found nothing. I suspect one of my redirects gave me the rouge antivirus, I successfully removed the rouge but the redirect remained. The redirect existed long before the rouge got on my system.
Any help is appreciated. Below is my DDS log. I am running the 64 bit version, so no GMER log.
Thanks,
Steve

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 1:12:27.29 on Fri 04/22/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2480 [GMT -5:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Napster\napster.exe
C:\WINDOWS\diskperfm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stivendor.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\Ascentive\ActiveSpeed\AS.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://pingtest.net/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Social Mini Toolbar powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Social Mini Toolbar powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EasyTether] "c:\program files\mobile stream\easytether\easytthr.exe"
uRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CoreADManager] c:\windows\diskperfm.exe
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [OLPSYNCH] c:\program files\offline course player\OlpSynch.exe
mRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ActiveSpeed] c:\program files\ascentive\activespeed\AS.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\foldin~1.lnk - c:\documents and settings\owner\application data\microsoft\installer\{87c85d28-0633-453d-8d29-98c3a1043f6c}\_40568C262FE03EB186D64D.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9dz5ktqr.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.iwon.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\9dz5ktqr.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\9dz5ktqr.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOlp32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: RedShift V3.6: redshift_V2@shift-themes.com - %profile%\extensions\redshift_V2@shift-themes.com
FF - Ext: Social Mini Toolbar powered by Ask.com: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download status: {9fb8c270-7124-11dd-ad8b-0800200c9a66} - %profile%\extensions\{9fb8c270-7124-11dd-ad8b-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: CA Anti-Phishing Toolbar: caaphishtoolbar@ca.com - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2011-4-21 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2011-3-12 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2011-3-12 206160]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-5 24652]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [2010-7-5 10496]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-21 22:22:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-21 22:22:31 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-21 18:15:23 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-04-21 18:15:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 18:15:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 17:35:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-21 17:35:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 14:17:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-21 14:17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 08:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 08:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-21 20:19:00 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-04-21 20:19:00 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-03-12 18:55:47 95568 ----a-w- c:\windows\system32\vetredir(2).dll
2011-03-12 18:55:47 128336 ----a-w- c:\windows\system32\isafeif(2).dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-04-23 23:05:50 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 1:13:15.32 ===============

Bump, anyone? Not trying to be pushy, thought maybe my post had gone between the cracks, it's been 3 days...
Thanks in advance for the help!
Steve

EDIT: Please be patient. There are over 380 unanswered topics in this forum at present and the current average wait time to receive help is 9 days. ~Budapest

Edited by Budapest, 25 April 2011 - 03:21 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 26 April 2011 - 08:41 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

You are not running a 64 bit OS, (at least accoding to your DDS log) so please run GMER for me. I also need to see the Attach.txt log from DDS

Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • Attach.txt
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 29 April 2011 - 10:16 AM

Sorry for the delay, I was out of town. Wow, I thought I had 64 bit, oh well, I ran the Gmer for you, posted below are the two reports you asked for.
Thanks,
Steve

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/20/2008 12:54:44 PM
System Uptime: 4/21/2011 5:40:41 PM (8 hours ago)
.
Motherboard: Dell Inc. | | 0H8052
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 29.02 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP8: 1/22/2011 8:04:47 AM - System Checkpoint
RP9: 1/23/2011 8:18:47 AM - System Checkpoint
RP10: 1/24/2011 9:04:46 AM - System Checkpoint
RP11: 1/25/2011 10:04:47 AM - System Checkpoint
RP12: 1/26/2011 11:04:46 AM - System Checkpoint
RP13: 1/27/2011 12:19:00 PM - System Checkpoint
RP14: 1/28/2011 1:04:55 PM - System Checkpoint
RP15: 1/29/2011 1:47:49 PM - System Checkpoint
RP16: 1/30/2011 2:45:12 PM - System Checkpoint
RP17: 1/31/2011 3:28:16 PM - System Checkpoint
RP18: 2/1/2011 4:28:15 PM - System Checkpoint
RP19: 2/2/2011 5:01:07 PM - System Checkpoint
RP20: 2/3/2011 5:28:17 PM - System Checkpoint
RP21: 2/4/2011 6:28:16 PM - System Checkpoint
RP22: 2/5/2011 7:28:16 PM - System Checkpoint
RP23: 2/6/2011 8:28:17 PM - System Checkpoint
RP24: 2/7/2011 8:58:10 PM - System Checkpoint
RP25: 2/8/2011 9:01:54 PM - System Checkpoint
RP26: 2/9/2011 9:58:10 PM - System Checkpoint
RP27: 2/10/2011 3:00:14 AM - Software Distribution Service 3.0
RP28: 2/11/2011 3:00:14 AM - Software Distribution Service 3.0
RP29: 2/12/2011 3:20:47 AM - System Checkpoint
RP30: 2/13/2011 3:31:45 AM - System Checkpoint
RP31: 2/14/2011 4:31:46 AM - System Checkpoint
RP32: 2/15/2011 5:27:13 AM - System Checkpoint
RP33: 2/16/2011 3:00:15 AM - Software Distribution Service 3.0
RP34: 2/17/2011 3:35:27 AM - System Checkpoint
RP35: 2/18/2011 4:46:42 AM - System Checkpoint
RP36: 2/19/2011 4:58:00 AM - System Checkpoint
RP37: 2/20/2011 5:58:00 AM - System Checkpoint
RP38: 2/21/2011 6:02:07 AM - System Checkpoint
RP39: 2/22/2011 7:02:07 AM - System Checkpoint
RP40: 2/23/2011 7:04:24 AM - System Checkpoint
RP41: 2/24/2011 8:04:23 AM - System Checkpoint
RP42: 2/25/2011 3:00:14 AM - Software Distribution Service 3.0
RP43: 2/26/2011 3:20:35 AM - System Checkpoint
RP44: 2/27/2011 4:20:35 AM - System Checkpoint
RP45: 2/28/2011 5:20:35 AM - System Checkpoint
RP46: 3/1/2011 6:20:35 AM - System Checkpoint
RP47: 3/1/2011 12:05:22 PM - Removed AVG Free 8.5
RP48: 3/1/2011 12:06:06 PM - CA Internet Security Suite
RP49: 3/2/2011 12:19:36 PM - System Checkpoint
RP50: 3/3/2011 1:19:37 PM - System Checkpoint
RP51: 3/4/2011 1:20:38 PM - System Checkpoint
RP52: 3/5/2011 2:19:32 PM - System Checkpoint
RP53: 3/6/2011 3:50:18 PM - System Checkpoint
RP54: 3/7/2011 4:19:33 PM - System Checkpoint
RP55: 3/8/2011 5:19:33 PM - System Checkpoint
RP56: 3/9/2011 6:19:32 PM - System Checkpoint
RP57: 3/10/2011 3:00:16 AM - Software Distribution Service 3.0
RP58: 3/11/2011 3:19:33 AM - System Checkpoint
RP59: 3/12/2011 4:19:19 AM - System Checkpoint
RP60: 3/12/2011 10:39:02 AM - CA Internet Security Suite
RP61: 3/12/2011 12:31:08 PM - CA Internet Security Suite
RP62: 3/13/2011 1:44:26 PM - System Checkpoint
RP63: 3/14/2011 1:48:40 PM - System Checkpoint
RP64: 3/15/2011 2:48:40 PM - System Checkpoint
RP65: 3/16/2011 2:50:24 PM - System Checkpoint
RP66: 3/17/2011 2:10:20 PM - iyogi
RP67: 3/18/2011 2:50:22 PM - System Checkpoint
RP68: 3/19/2011 3:50:22 PM - System Checkpoint
RP69: 3/20/2011 4:50:02 PM - System Checkpoint
RP70: 3/21/2011 4:51:07 PM - System Checkpoint
RP71: 3/22/2011 5:50:02 PM - System Checkpoint
RP72: 3/23/2011 6:50:03 PM - System Checkpoint
RP73: 3/24/2011 7:50:03 PM - System Checkpoint
RP74: 3/25/2011 11:24:51 AM - Software Distribution Service 3.0
RP75: 3/26/2011 12:11:48 PM - System Checkpoint
RP76: 3/27/2011 1:11:35 PM - System Checkpoint
RP77: 3/28/2011 2:24:55 PM - System Checkpoint
RP78: 3/29/2011 3:11:35 PM - System Checkpoint
RP79: 3/30/2011 3:53:36 PM - System Checkpoint
RP80: 3/31/2011 4:53:37 PM - System Checkpoint
RP81: 4/1/2011 4:54:41 PM - System Checkpoint
RP82: 4/2/2011 5:01:52 PM - System Checkpoint
RP83: 4/3/2011 5:53:37 PM - System Checkpoint
RP84: 4/4/2011 9:16:32 PM - System Checkpoint
RP85: 4/5/2011 9:53:36 PM - System Checkpoint
RP86: 4/6/2011 9:54:42 PM - System Checkpoint
RP87: 4/7/2011 10:53:41 PM - System Checkpoint
RP88: 4/8/2011 11:53:41 PM - System Checkpoint
RP89: 4/10/2011 1:00:14 AM - System Checkpoint
RP90: 4/11/2011 1:35:49 AM - System Checkpoint
RP91: 4/12/2011 2:35:48 AM - System Checkpoint
RP92: 4/13/2011 3:35:48 AM - System Checkpoint
RP93: 4/14/2011 4:35:48 AM - System Checkpoint
RP94: 4/15/2011 7:16:45 AM - System Checkpoint
RP95: 4/15/2011 11:02:13 PM - Software Distribution Service 3.0
RP96: 4/16/2011 11:43:42 PM - System Checkpoint
RP97: 4/17/2011 3:00:15 AM - Software Distribution Service 3.0
RP98: 4/18/2011 3:12:17 AM - System Checkpoint
RP99: 4/19/2011 7:16:52 AM - System Checkpoint
RP100: 4/20/2011 7:57:17 AM - System Checkpoint
RP101: 4/21/2011 10:07:41 AM - Restore Operation
RP102: 4/21/2011 12:18:30 PM - Restore Operation
RP103: 4/21/2011 2:05:23 PM - Removed AVG Free 8.5
RP104: 4/21/2011 2:06:32 PM - Installed AVG Free 8.5
RP105: 4/21/2011 5:21:47 PM - Installed Java™ 6 Update 24
RP106: 4/21/2011 5:25:08 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
ActiveSpeed
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
AIM 6
AMRT
AntiPhishing
APH placeholder
Apple Software Update
ArcSoft Software Suite
Ask Toolbar
Backgammon
CA Anti-Virus Plus
CA Internet Security Suite
CA Personal Firewall
CA Pest Patrol Realtime Protection
Creative Audio Console
Creative MediaSource 5
Creative Software AutoUpdate
Creative WaveStudio 7
Critical Update for Windows Media Player 11 (KB959772)
DAZzle
DeLorme Street Atlas USA 2005
DeLorme Street Atlas USA 2005 Data
DIRECTV Optimizer Ver 2009-07-01
Diskeeper 2009 Professional
DIY Programmer
DYMO Printable Postage
EasyTether
EPSON Printer Software
EPSON Scan
Facebook Plug-In
Farming Extreme Manager
Farming Extreme Manager Gold
Farmville Gift Collector version 1.0
FOREXTraderPro
FreeRIP v3.40
Google Chrome
Google Talk (remove only)
HERB.IQ
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java™ 6 Update 24
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Logitech MouseWare 9.79.1
Logos 4 Prerequisites
Logos Bible Software 4
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 2.0
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.5.1)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster
Napster Burn Engine
Nero OEM
Offline Course Player
OpenOffice.org 2.4
PearsonVUE Tutorial and Practice Exam
PowerDVD
QuickTime
Qurb
RealArcade
RealPlayer
RealUpgrade 1.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Slacker Software Player
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Street Atlas USA 2005
The Sims™ 3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VZAccess Manager
WeatherBug
WebFldrs XP
WildBlue Optimizer Ver 2009-06-01
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinZip 14.0
.
==== Event Viewer Messages From Past Week ========
.
4/21/2011 9:30:56 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm KmxAgent KmxFile KmxFw KmxStart
4/21/2011 9:30:03 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
4/21/2011 9:16:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/21/2011 7:54:25 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec KmxAgent KmxFile KmxFw KmxStart MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
4/21/2011 7:54:25 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2011 7:54:25 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2011 7:54:25 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2011 7:54:25 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2011 7:54:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxCfg with arguments "" in order to run the server: {B8417502-7095-4D02-AF41-92134CEA5ED0}
4/21/2011 7:54:03 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxCfg with arguments "" in order to run the server: {5EBFD120-E4FE-46C5-8E21-05D903BAAEEC}
4/21/2011 7:54:03 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
4/21/2011 7:54:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxCfg with arguments "" in order to run the server: {8449273F-059F-4B7C-BF37-2E3C028E93D2}
4/21/2011 7:53:30 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/21/2011 7:53:29 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/21/2011 7:53:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxPol with arguments "-Service" in order to run the server: {4C89C3FD-5F94-4678-BBB5-F64759C3C54A}
4/21/2011 2:17:46 PM, error: Service Control Manager [7003] - The HIPS Event Manager service depends on the following nonexistent service: UmxPol
4/21/2011 2:17:46 PM, error: DCOM [10005] - DCOM got error "%1075" attempting to start the service UmxAgent with arguments "-Service" in order to run the server: {9B58BB29-3745-44A2-9E8B-B09C1DB53243}
4/21/2011 2:01:06 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/21/2011 2:01:02 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
4/21/2011 12:37:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 AvgTdiX
4/21/2011 12:37:35 PM, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The system cannot find the file specified.
4/21/2011 12:37:35 PM, error: Service Control Manager [7000] - The AVG8 WatchDog service failed to start due to the following error: The system cannot find the file specified.
4/21/2011 12:01:11 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/21/2011 10:00:33 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/16/2011 8:35:55 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/16/2011 7:51:35 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/15/2011 7:35:11 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.nist.gov,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-29 10:11:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDS728080PLA380 rev.PF2OA63A
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgqiiaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwSetInformationProcess [0xB9262B6F]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xB9129EB0]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8FEAF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 013CB24B
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013CBF9D
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013CBCA5
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013CBEB6
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 013CB18E
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!recv 71AB676F 2 Bytes JMP 013CBD4B
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!recv + 3 71AB6772 2 Bytes [91, 8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013CBDF5
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 013CB5D2
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 013CC20B
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 013CC745
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 013CC13E
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 013CC660
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 013CCAFC
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 013CCBC6
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 013CB6AD
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 013CC578
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 013CC3B4
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 013CC02B
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 013CC2D8
.text C:\Program Files\Mozilla Firefox\firefox.exe[684] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 013CC490

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 29 April 2011 - 09:35 PM

chiefs13:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 30 April 2011 - 01:56 PM

I went to run Combofix and it said "Combofix cannot run when CA Anti-Virus is installed. It would be dangerous to continue. Please un-install CA Anti-Virus."
I turned my antivirus off like you said, but it tells me I have to completely un-install. I turned CA off two different ways, first I snoozed it, and when that didn't work, I killed the task, neither attempts worked. What now?
Steve

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 30 April 2011 - 08:29 PM

Steve,

I'm afraid you will have to uninstall CA, shutting it off isn't sufficient. You may reinstall it as soon as we finish.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 01 May 2011 - 03:32 PM

Ok, here is the Combofix log:

ComboFix 11-04-29.04 - Owner 05/01/2011 15:22:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2882 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\WINDOWS
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-21 22:22 . 2011-04-21 22:22 -------- d-----w- c:\program files\Common Files\Java
2011-04-21 22:22 . 2011-02-03 02:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-21 22:22 . 2011-02-03 02:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-21 18:15 . 2011-04-21 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-21 18:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 18:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 17:35 . 2011-04-21 17:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 14:18 . 2011-04-21 14:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-21 14:17 . 2011-04-21 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-21 14:17 . 2011-04-21 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 08:39 . 2011-04-14 08:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 08:39 . 2011-04-14 08:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-21 20:19 . 2011-03-01 18:07 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-04-21 20:19 . 2011-03-01 18:07 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-03-12 18:55 . 2011-03-01 18:07 95568 ----a-w- c:\windows\system32\vetredir(2).dll
2011-03-12 18:55 . 2011-03-01 18:07 128336 ----a-w- c:\windows\system32\isafeif(2).dll
2011-03-07 05:33 . 2008-06-20 17:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 10:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-18 05:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 10:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 00:19 . 2009-04-18 05:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-06-20 17:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2010-04-23 23:05 . 2010-04-23 23:06 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-10-11 22:12 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"EasyTether"="c:\program files\Mobile Stream\EasyTether\easytthr.exe" [2010-06-21 41984]
"Performance Center"="c:\program files\Ascentive\Performance Center\ApcMain.exe" [2010-07-12 532480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-03-10 323216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"CoreADManager"="c:\windows\diskperfm.exe" [2009-07-14 749568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-23 202256]
"OLPSYNCH"="c:\program files\Offline Course Player\OlpSynch.exe" [2009-08-21 42288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ActiveSpeed"="c:\program files\Ascentive\ActiveSpeed\AS.exe" [2010-07-19 1785856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Folding@home.lnk - c:\documents and settings\Owner\Application Data\Microsoft\Installer\{87C85D28-0633-453D-8D29-98C3A1043F6C}\_40568C262FE03EB186D64D.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 22:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-14 19:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-14 19:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-14 19:50 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-14 19:49 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-10-14 19:50 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Slacker\\Software Player\\slacker.player.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/5/2009 3:59 PM 24652]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [7/5/2010 1:15 PM 10496]
S0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [9/17/2010 1:21 PM 135248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [3/27/2009 5:27 PM 598656]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1965331169-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-28 16:33]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1965331169-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-28 16:33]
.
2011-05-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-1965331169-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-1965331169-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-10-11 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pingtest.net/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9dz5ktqr.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.iwon.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: RedShift V3.6: redshift_V2@shift-themes.com - %profile%\extensions\redshift_V2@shift-themes.com
FF - Ext: Social Mini Toolbar powered by Ask.com: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download status: {9fb8c270-7124-11dd-ad8b-0800200c9a66} - %profile%\extensions\{9fb8c270-7124-11dd-ad8b-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-x3watch - c:\program files\X3watch\x3watch.exe
HKLM-Run-CAPPActiveProtection - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-Google Chrome - c:\documents and settings\Owner\Local Settings\Application Data\Google\Chrome\Application\8.0.552.237\Installer\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 15:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\UmxWnp.Dll
.
Completion time: 2011-05-01 15:29:14
ComboFix-quarantined-files.txt 2011-05-01 20:29
.
Pre-Run: 34,383,912,960 bytes free
Post-Run: 36,247,465,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 75FE7229C85AB1F2EF6E9B5A3AD09C47

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 01 May 2011 - 04:16 PM

Hi,

Are you still experiencing search redirects? If so, do you use a router? If so, please tell me the make & model (ie: Linksys WRT54G)

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 01 May 2011 - 04:56 PM

Hello,
I haven't had any redirects again.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 01 May 2011 - 05:13 PM

chiefs13:

Great! Do this next, please:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 01 May 2011 - 07:07 PM

The ESET didn't give me an option for a log, but there were no infections found.
Nothing found with MBAM, below is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6485

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/1/2011 5:31:28 PM
mbam-log-2011-05-01 (17-31-28).txt

Scan type: Quick scan
Objects scanned: 149936
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 01 May 2011 - 07:31 PM

chiefs13:

Your logs look good! Now I have another update and some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Re-install your antivirus program.

Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 chiefs13

chiefs13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 01 May 2011 - 08:57 PM

Thanks so much! I'm so glad to be clean of this crap. I've been dealing with it for a couple months basically ignoring it, but when I got the rogue antivirus junk it pushed me into action.

Since obviously CA didn't protect me, could you suggest any products that I could get to protect myself from here on out. I'm always as safe as can be, don't download things from strangers, no porn sites, etc etc. I want a product(s) that will keep me safe and off these boards lol.

Thanks again, and I will donate,
Steve

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 01 May 2011 - 09:12 PM

Steve,

You're very welcome. I prefer not to recommend any one AV product over the other, because none of them stop everything. Also, every system is a little different and some will run better than others. Check out this site for some good, objective information about the different products. Most of them offer free trials, so feel free to test a few out and settle on whichever felt best on your system. Just be sure to not have more than one installed at a time. The PRO version of MBAM may not be a bad idea either. It runs well with most of the AV programs.

Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 06 May 2011 - 07:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users