Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirects to Ads


  • This topic is locked This topic is locked
3 replies to this topic

#1 gmtaylor3

gmtaylor3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 30 July 2011 - 08:28 AM

My search engines automatically redirect to advertising web sites when I do a Google search. I have used Malwarebytes and Norton End Point Protection. Malwarebytes always finds Trojan viruses when it claims to remove, and Norton finds Bloodhound.MalPE, but after a few searches the results return. I am new to this forum, but is this the right place to ask for help?

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Gtaylor at 11:52:56 on 2011-07-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.2248 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\iassam32.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\atiadlxx32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Nuance\PDF Professional 7\PDFProFiltSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\SLClient.exe
c:\windows\system32\slinstall.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\CBM\ScriptLogic.CBM.Agent.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Logs\LogAgent.exe
C:\WINDOWS\System32\accelerometerST.exe
C:\Program Files\Hummingbird\DM Extensions\papihost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\eCopy\Desktop 9.0\Bin\eDP2eD.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\CBM\ScriptLogic.CBM.UserExperience.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://intranet
uDefault_Page_URL = hxxp://intranet
BHO: {14de8db8-a3a2-46ac-8838-592e28516a33} - c:\windows\system32\atiadlxx32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Hummingbird DM: {83e8bf99-f3c0-4475-b453-9f9e8e4548c3} - c:\program files\hummingbird\dm extensions\DOCSShlToolBar.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Artisan 50 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiffa.exe /fu "c:\windows\temp\E_S121.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [PwD_LogAgent] c:\logs\logagent.exe /39 /path=c:\Logs
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\accelerometerST.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PowerDOCSAPIHost] "c:\program files\hummingbird\dm extensions\papihost.exe"
mRun: [DMAutoUpdate] "c:\program files\hummingbird\dm extensions\dmautoupdate\AutoUpdates.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [eCopy Scan Inbox Monitor] "c:\program files\ecopy\desktop 9.0\bin\InboxMonitor.exe" -run
mRun: [eDP2eD] "c:\program files\ecopy\desktop 9.0\bin\eDP2eD.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DesktopAuthority User Experience] "c:\program files\scriptlogic\desktop authority\client files\8.10.255\cbm\ScriptLogic.CBM.UserExperience.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 3600 (0xe10)
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open with PDF Professional 7 - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44C7F862-906C-11D3-A8ED-0008C75B3588} - hxxp://bhm-dm1/cyberdocs/DMExtensions/papibrdg.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268415150600
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310485597312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://bhm-dm1/cyberdocs/DMExtensions/deployment/setup.exe
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.burr.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{81909352-DD70-4751-A93E-656D05822381} : DhcpNameServer = 10.10.50.30 10.10.55.150
TCP: Interfaces\{E7E2EEAC-6000-448E-BE36-77CCE6B8FD0A} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: PCDOCS - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - c:\program files\hummingbird\dm extensions\pwdmoniker.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
mASetup: >>Workshare Professional - c:\program files\workshare\modules\WmConfigAssistant.exe /userinit
mASetup: >>Workshare Protect Client - c:\program files\workshare\modules\Workshare.Protect.UserInit.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gtaylor\application data\mozilla\firefox\profiles\o1m4sq3w.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-1-19 24064]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2009-10-9 46304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-16 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-16 108392]
R2 CryptSvc32;Cryptographic Services ;c:\windows\system32\iassam32.exe [2011-7-27 549888]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 7\PDFProFiltSrv.exe [2010-9-20 134944]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2009-10-9 1242504]
R2 ScriptLogic CBM Service;ScriptLogic CBM Service;c:\program files\scriptlogic\desktop authority\client files\8.10.255\cbm\ScriptLogic.CBM.Agent.exe [2010-11-7 427008]
R2 SLClient;ScriptLogic Service;c:\program files\scriptlogic\desktop authority\client files\8.10.255\SLClient.exe [2010-11-7 557920]
R2 SLInstall;Desktop Authority Client Provisioning Service;c:\windows\system32\slinstall.exe [2011-7-12 557920]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-12-16 1831024]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-1-19 2058776]
R2 wsnm;VMware View Client;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2011-2-18 494192]
R2 wsnm_usbctrl;VMware View USB Control;c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [2011-2-18 793200]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-1-19 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2009-10-9 3328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110729.048\NAVENG.SYS [2011-7-30 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110729.048\NAVEX15.SYS [2011-7-30 1542392]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-7-19 13312]
R3 ProxyHostInputFilter;PROXY Pro Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [2011-5-25 15312]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-1-19 49152]
R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2011-7-12 39984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-12-16 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-28 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-19 228408]
S4 USBDLM;USBDLM;c:\program files\usbdlm\USBDLM.exe [2010-1-22 226816]
.
=============== Created Last 30 ================
.
2011-07-30 14:35:59 -------- d-s---w- C:\ComboFix
2011-07-30 13:12:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-30 13:12:21 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-30 01:38:55 -------- d-----w- c:\program files\common files\xing shared
2011-07-29 21:35:42 -------- d-----w- c:\documents and settings\gtaylor\local settings\application data\Apple Computer
2011-07-29 21:34:34 -------- d-----w- c:\documents and settings\gtaylor\local settings\application data\Apple
2011-07-29 03:21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-29 03:21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-29 01:59:48 -------- d-----w- c:\documents and settings\gtaylor\application data\Malwarebytes
2011-07-29 01:59:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-29 01:59:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-29 01:59:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-29 01:59:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-29 01:33:44 0 ---ha-w- c:\documents and settings\gtaylor\otetgjfsad.tmp
2011-07-28 02:49:45 549888 ----a-w- c:\windows\system32\iassam32.exe
2011-07-28 02:49:45 549888 ----a-w- c:\windows\system32\atiadlxx32.exe
2011-07-28 02:49:44 345600 ----a-w- c:\windows\system32\atiadlxx32.dll
2011-07-27 01:01:57 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-07-27 01:01:57 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-07-27 01:01:57 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-07-27 01:01:57 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-07-27 01:01:57 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-07-27 01:01:57 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-07-27 01:01:57 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2011-07-27 01:01:57 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-07-27 01:01:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2011-07-27 01:01:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-07-27 01:01:54 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-07-27 01:01:54 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-07-27 00:11:50 -------- d-----w- c:\windows\pss
2011-07-23 14:13:23 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-07-23 14:13:23 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-07-23 14:13:23 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-07-23 14:13:23 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-07-23 14:13:23 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-07-23 14:12:43 -------- d-----w- c:\documents and settings\all users\application data\UDL
2011-07-23 14:11:09 -------- d-----w- c:\program files\epson
2011-07-23 14:09:47 -------- d-----w- c:\program files\Epson Software
2011-07-23 14:09:16 80024 ----a-w- c:\windows\system32\PICSDK.dll
2011-07-23 14:09:16 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2011-07-23 14:09:16 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2011-07-23 14:09:16 108704 ----a-w- c:\windows\system32\PICEntry.dll
2011-07-23 14:09:15 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2011-07-23 13:47:42 -------- d-----w- c:\documents and settings\gtaylor\application data\Dropbox
2011-07-19 19:16:52 -------- d-----w- c:\documents and settings\gtaylor\local settings\application data\Spotify
2011-07-19 19:16:52 -------- d-----w- c:\documents and settings\gtaylor\application data\Spotify
2011-07-19 19:16:50 -------- d-----w- c:\program files\Spotify
2011-07-19 19:12:33 -------- d-----w- C:\767ae15e93eb77091a0ba7644b6813
2011-07-19 19:11:36 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2011-07-19 19:11:36 13312 ----a-w- c:\windows\system32\drivers\pneteth.sys
2011-07-19 19:11:35 -------- d-----w- c:\program files\PdaNet for Android
2011-07-15 03:41:33 -------- d-----w- c:\documents and settings\all users\application data\EPSON
2011-07-15 03:41:25 86528 ----a-w- c:\windows\system32\E_FLBFFA.DLL
2011-07-15 03:41:25 78848 ----a-w- c:\windows\system32\E_FD4BFFA.DLL
2011-07-15 03:39:00 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-07-15 03:39:00 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-07-14 21:59:09 -------- d-----w- c:\program files\Proxy Networks
2011-07-14 21:59:04 -------- d-----w- c:\program files\common files\Funk Software
2011-07-14 21:46:24 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-14 21:46:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-14 21:11:38 -------- d-----w- c:\program files\Deal Proof
2011-07-14 20:52:51 -------- d-----w- c:\program files\common files\Juniper Networks
2011-07-14 13:27:29 -------- d-----w- c:\windows\system32\CCM
2011-07-14 13:27:08 -------- d-----w- c:\windows\system32\ccmsetup
2011-07-13 18:57:15 -------- d-----w- c:\program files\common files\AnswerWorks 5.0
2011-07-13 18:56:41 -------- d-----w- c:\documents and settings\gtaylor\application data\Intuit
2011-07-13 18:56:15 -------- d-----w- c:\program files\common files\Intuit
2011-07-13 18:56:05 -------- d-----w- c:\program files\Quicken
2011-07-13 18:55:32 -------- d-----w- c:\documents and settings\all users\application data\Intuit
2011-07-13 12:58:49 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\ctor.dll
2011-07-13 12:58:49 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iscript.dll
2011-07-13 12:58:49 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iuser.dll
2011-07-13 12:58:48 724992 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iKernel.dll
2011-07-13 12:58:48 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\DotNetInstaller.exe
2011-07-13 12:58:47 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\Setup.dll
2011-07-13 12:58:47 184452 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iGdi.dll
2011-07-13 02:04:20 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2011-07-13 01:46:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 00:29:58 -------- d-----w- c:\documents and settings\gtaylor\local settings\application data\ATI
2011-07-13 00:24:04 -------- d-----w- c:\program files\ATI Technologies
2011-07-13 00:24:01 -------- d-----w- c:\program files\ATI
2011-07-12 22:38:52 72192 ----a-w- c:\windows\system32\IMG32MMB.DLL
2011-07-12 22:38:52 27648 ----a-w- c:\windows\system32\IMG32MM.DLL
2011-07-12 22:38:38 -------- d-----w- c:\documents and settings\gtaylor\application data\Nortel
2011-07-12 22:12:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-07-12 22:12:58 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-07-12 20:31:20 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-07-12 17:52:53 -------- d-----w- c:\documents and settings\gtaylor\application data\Xerox
2011-07-12 17:43:18 -------- d-----w- c:\documents and settings\gtaylor\application data\Zeon
2011-07-12 17:41:14 -------- d-sh--w- c:\documents and settings\gtaylor\IETldCache
2011-07-12 17:41:09 -------- d-----w- c:\documents and settings\gtaylor\local settings\application data\Symantec
2011-07-12 17:04:47 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-12 16:37:56 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-07-12 16:37:41 -------- d-----w- c:\windows\ie8updates
2011-07-12 16:37:35 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-12 16:37:35 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-12 16:37:34 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-12 16:35:56 -------- dc-h--w- c:\windows\ie8
2011-07-12 15:59:33 39984 ----a-r- c:\windows\system32\drivers\vmwvusb.sys
2011-07-12 15:59:21 -------- d-----w- c:\program files\common files\VMware
2011-07-12 15:59:17 -------- d-----w- c:\program files\VMware
2011-07-12 15:39:38 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-12 15:39:37 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-12 15:39:24 503808 ----a-w- c:\windows\system32\MSVCP71.DL1
2011-07-12 15:39:24 348160 ----a-w- c:\windows\system32\MSVCR71.DL1
2011-07-12 15:39:13 -------- d-----w- c:\program files\Symantec
2011-07-12 15:39:13 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-12 15:39:13 -------- d-----w- c:\documents and settings\all users\application data\Symantec
2011-07-12 15:37:01 -------- d-----w- c:\documents and settings\all users\application data\Nuance
2011-07-12 15:36:57 -------- d-----w- c:\windows\PIXTRAN
2011-07-12 15:35:51 -------- d-----w- c:\documents and settings\all users\application data\zeon
2011-07-12 15:35:47 -------- d-----w- c:\program files\common files\ScanSoft Shared
2011-07-12 15:35:25 -------- d-----w- c:\program files\Nuance
2011-07-12 15:33:02 163840 ----a-w- c:\windows\system32\slMapiEx.dll
2011-07-12 15:33:00 955744 ----a-w- c:\windows\system32\alttiff.ocx
2011-07-12 15:32:54 535 ----a-w- c:\windows\system32\admin.bat
2011-07-12 15:32:53 -------- d-----w- C:\Software
2011-07-12 15:32:53 -------- d-----w- c:\program files\Foxit PDF Reader
2011-07-12 15:32:48 47 ----a-w- c:\windows\system32\grouppolicy\user\scripts\logoff\SLlogoffScript.cmd
2011-07-12 15:32:36 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-12 15:32:36 -------- d-----w- c:\program files\ScriptLogic
2011-07-12 15:32:24 557920 ----a-w- c:\windows\system32\slinstall.exe
2011-07-12 15:32:22 -------- d-----w- C:\ScriptLogic
.
==================== Find3M ====================
.
2011-07-23 14:47:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-13 00:25:19 0 ----a-w- c:\windows\ativpsrm.bin
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-25 20:07:16 29520 ----a-w- c:\windows\system32\phpqrz0009.dll
2011-05-25 20:06:48 24400 ----a-w- c:\windows\system32\drivers\ph32isys.sys
2011-05-25 20:06:46 13008 ----a-w- c:\windows\system32\drivers\ph32imin.sys
2011-05-25 20:06:42 15312 ----a-w- c:\windows\system32\drivers\ph32ifil.sys
2011-05-25 20:05:32 91472 ----a-w- c:\windows\system32\phpmonnt.dll
2011-05-25 20:05:28 12368 ----a-w- c:\windows\system32\ph32ildr.dll
2011-05-25 20:05:26 71248 ----a-w- c:\windows\system32\ph32idfd.dll
2011-05-25 20:05:26 70864 ----a-w- c:\windows\system32\ph32idsp.dll
2011-05-25 19:17:18 503808 ----a-w- c:\windows\system32\msvcp71.dll



HERE'S THE GMER REPORT:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-30 13:10:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS725032A9A364 rev.PC3OC70E
Running: gmer.exe; Driver: C:\DOCUME~1\gtaylor\LOCALS~1\Temp\kfdorfow.sys


---- System - GMER 1.0.15 ----

SSDT 8AD08928 ZwAlertResumeThread
SSDT 8AB5D7B8 ZwAlertThread
SSDT 8A339D98 ZwAllocateVirtualMemory
SSDT 8A32B770 ZwCreateMutant
SSDT 8A9E6FB0 ZwCreateThread
SSDT 8A3D11C0 ZwFreeVirtualMemory
SSDT 8AB409F8 ZwImpersonateAnonymousToken
SSDT 8ACB5558 ZwImpersonateThread
SSDT 8AB3E7B0 ZwMapViewOfSection
SSDT 8AB24520 ZwOpenEvent
SSDT 8A9DF288 ZwOpenProcessToken
SSDT 8A3B2D98 ZwOpenThreadToken
SSDT 8A95DDD0 ZwResumeThread
SSDT 8ABC6B70 ZwSetContextThread
SSDT 8A904D98 ZwSetInformationProcess
SSDT 8A90E9A8 ZwSetInformationThread
SSDT 8ABACE38 ZwSuspendProcess
SSDT 8ABD0708 ZwSuspendThread
SSDT 8AB2B9E0 ZwTerminateProcess
SSDT 8AB618D8 ZwTerminateThread
SSDT 8A95DC58 ZwUnmapViewOfSection
SSDT 8A356D98 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? isrujmcn.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9891000, 0x2326C7, 0xE8000020]
? C:\DOCUME~1\gtaylor\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Real\RealPlayer\update\realsched.exe[1272] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3424] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068F0D7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3424] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068F069 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3424] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A56CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3424] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5CE7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\rserver30\RServer3.exe[1920] @ C:\WINDOWS\system32\user32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech Corp.)
IAT C:\WINDOWS\system32\rserver30\RServer3.exe[1920] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech Corp.)
IAT C:\WINDOWS\system32\rserver30\RServer3.exe[1920] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech Corp.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\NAVEX15 \Device\NAVEX15 ABEBFE1E
Device \Driver\NAVENG \Device\NAVENG ABE84652

---- Threads - GMER 1.0.15 ----

Thread System [4:516] B0A34172

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Edited by gmtaylor3, 30 July 2011 - 01:08 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:27 AM

Posted 07 August 2011 - 10:56 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:27 AM

Posted 10 August 2011 - 01:35 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:27 AM

Posted 13 August 2011 - 04:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users