Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • This topic is locked This topic is locked
11 replies to this topic

#1 clifffy

clifffy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 14 October 2011 - 07:53 AM

Greetings,
I seem to have the google redirect problem or related. When i search on google , it takes me to unrelated sites. i changed internet explorer add ons, which seemed to solve the issues, but want to check the following log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cmgreg at 8:40:35 on 2011-10-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1036 [GMT -4:00]
.
AV: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\A-B\Mobility Time Manager\ABMTimeManager.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080126
BHO: {05758d77-b533-4fd0-9d48-1682174e138c} - c:\documents and settings\cmgreg\local settings\application data\NetworkWMP.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1066\TmIEPlg.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [Siebel Update] rundll32 "c:\documents and settings\cmgreg\local settings\application data\microsoft\microsoftupdate\Microsoftupdt32.dll",DllRegisterServer
uRun: [DisplayVerifierVerifier] rundll32.exe "c:\documents and settings\all users\application data\DisplayVerifierVerifier.dll",DllRegisterServer
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: \\erfile\users\programs\startup\OPENOF~1.LNK - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tendaw~1.lnk - c:\program files\tenda\common\RaUI.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: ab-sales.com
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_Calendar.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {37D01D1F-7F85-4455-88DA-6328863886E8} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_HI_Client.cab
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxps://vportal.publix.biz/VPMDWeb/Reserved.ReportViewerWebControl.axd?ReportSession=n0fy2siyiubca4m4mxhfb045&ControlID=8c7da7aa59994b9f896a210e99eb4ee3&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202227039852
DPF: {819647C8-39C0-4C59-811C-928277815701} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_OutBound_mail.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_Desktop_Integration.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {B66D7C9D-905F-4A8E-A919-F6190334B9D0} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_HI_Client.cab
DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.abmarketing.com/SAXFile/SAXFile.cab
DPF: {C1FC96DA-81BE-4836-B3A5-958F55E56E8E} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_OutBound_mail.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_HI_Client.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E4F2DB99-72F9-40CE-8B98-AF9615C99CEE} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_Calendar.cab
DPF: {EAE0D004-1B84-4F67-AA92-35B3A0B4F045} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_OutBound_mail.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{7FB2D98A-885C-49F4-82AF-0223669DD205} : DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{D04CEB9D-FD69-4E59-80C1-3EF5846F5E04} : NameServer = 192.168.2.5,192.168.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1066\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-10-12 68368]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-10-12 200632]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-8-18 47640]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-13 141792]
R2 Mobility Time Manager;Mobility Time Manager;c:\program files\a-b\mobility time manager\ABMTimeManager.exe [2009-6-12 18944]
R2 MSSQL$ABMSQL;SQL Server (ABMSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-10-12 19072]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-10-12 827488]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\tenda\common\RaRegistry.exe [2011-10-12 185632]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-2-5 401920]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-4-9 189792]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-14 11:54:23 388096 ----a-r- c:\documents and settings\cmgreg\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-14 11:41:32 -------- d-----w- c:\documents and settings\cmgreg\application data\Uniblue
2011-10-14 11:36:40 -------- dc-h--w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-14 11:36:39 -------- d-----w- c:\program files\Uniblue
2011-10-14 11:35:54 -------- d-----w- c:\documents and settings\cmgreg\local settings\application data\PackageAware
2011-10-12 22:09:50 0 ---ha-w- c:\documents and settings\cmgreg\rypcxybabm.tmp
2011-10-12 16:50:31 100352 ----a-w- c:\documents and settings\all users\application data\DisplayVerifierVerifier.dll
2011-10-12 16:50:30 267776 ----a-w- c:\documents and settings\cmgreg\local settings\application data\NetworkWMP.dll
2011-10-12 15:58:47 796032 ----a-w- c:\windows\system32\Scutum.dll
2011-10-12 15:58:47 200704 ----a-w- c:\windows\system32\ssleay32.dll
2011-10-12 15:58:47 19072 ----a-w- c:\windows\system32\drivers\Scutum50.sys
2011-10-12 15:58:47 180224 ----a-w- c:\windows\system32\W32N55.dll
2011-10-12 15:58:47 152968 ----a-w- c:\windows\system32\RalinkGina.dll
2011-10-12 15:58:47 147456 ----a-w- c:\windows\system32\DiagFunc.dll
2011-10-12 15:58:47 1085440 ----a-w- c:\windows\system32\libeay32.dll
2011-10-12 15:58:32 -------- d-----w- c:\program files\Tenda
2011-10-12 15:58:28 827488 ----a-w- c:\windows\system32\drivers\rt2870.sys
2011-10-12 15:58:28 238944 ----a-w- c:\windows\system32\RaCoInst.dll
2011-10-12 15:58:26 -------- d-----w- c:\documents and settings\all users\application data\Tenda Driver
2011-10-12 15:06:36 -------- d-----w- c:\documents and settings\cmgreg\local settings\application data\Trend Micro
2011-10-12 15:04:59 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-10-12 15:04:53 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-10-12 15:04:53 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-10-12 15:04:53 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-12 15:00:03 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2011-10-12 14:59:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-12 14:57:23 -------- d-----w- c:\program files\Trend Micro
2011-10-08 02:00:14 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{3fb5845d-6f29-4e0c-ac54-5e1b552767d7}\mpengine.dll
2011-09-24 00:48:28 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver
2011-09-23 18:49:40 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2011-09-23 18:49:40 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2011-09-23 18:49:35 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2011-09-23 16:50:18 0 ----a-w- c:\windows\invcol.tmp
2011-09-23 16:38:27 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-09-23 16:38:26 -------- d-----w- c:\program files\Belarc
2011-09-23 16:35:59 -------- d-----w- c:\program files\Digital Line Detect
2011-09-23 16:29:56 -------- d-----w- c:\documents and settings\cmgreg\local settings\application data\Deployment
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2006-03-14 16:13:02 2629632 ----a-w- c:\program files\common files\IntactixSplashServer.dll
2006-01-30 02:10:34 32819 ----a-w- c:\program files\common files\IXInformer.exe
2006-01-30 01:58:00 9728 ----a-w- c:\program files\common files\IXInformer.InterOp.dll
2003-09-11 13:17:06 40960 ----a-w- c:\program files\common files\ioaFolderBrowse.dll
2003-08-12 17:49:40 73728 ----a-w- c:\program files\common files\ioalMDITabs.dll
2002-07-29 13:42:48 45056 ----a-w- c:\program files\common files\ioaDockControl.ocx
.
============= FINISH: 8:42:17.70 ===============Attached File  attach.zip   6.16KB   1 downloads

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 16 October 2011 - 12:14 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 clifffy

clifffy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 18 October 2011 - 07:08 PM

Attached File  Gmer.txt   459.26KB   1 downloads
Thanks in advance for your help. The Gmer log is attached.

#4 clifffy

clifffy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 18 October 2011 - 07:30 PM

Do I need to post the log in the body? It is very long, thanks!:mellow:

#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 18 October 2011 - 08:53 PM

clifffy:

Please do this next:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 clifffy

clifffy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 19 October 2011 - 06:43 AM

Here is the log. Thanks again.

ComboFix 11-10-19.02 - cmgreg 10/19/2011 7:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1184 [GMT -4:00]
Running from: \\Erfile\Users\cmgreg\Desktop\ComboFix.exe
AV: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DisplayVerifierVerifier.dll
c:\documents and settings\cmgreg\Local Settings\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.dll
c:\documents and settings\cmgreg\Local Settings\Application Data\NetworkWMP.dll
c:\documents and settings\cmgreg\rypcxybabm.tmp
c:\windows\system32\SysInfo.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-14 13:22 . 2011-10-14 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-14 11:54 . 2011-10-14 11:54 388096 ----a-r- c:\documents and settings\cmgreg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-14 11:36 . 2011-10-14 11:36 -------- d-----w- c:\program files\Uniblue
2011-10-14 11:35 . 2011-10-14 11:35 -------- d-----w- c:\documents and settings\cmgreg\Local Settings\Application Data\PackageAware
2011-10-12 15:58 . 2009-12-10 15:16 796032 ----a-w- c:\windows\system32\Scutum.dll
2011-10-12 15:58 . 2009-12-10 15:16 200704 ----a-w- c:\windows\system32\ssleay32.dll
2011-10-12 15:58 . 2009-12-10 15:16 19072 ----a-w- c:\windows\system32\drivers\Scutum50.sys
2011-10-12 15:58 . 2009-12-10 15:16 180224 ----a-w- c:\windows\system32\W32N55.dll
2011-10-12 15:58 . 2009-12-10 15:16 147456 ----a-w- c:\windows\system32\DiagFunc.dll
2011-10-12 15:58 . 2009-12-10 15:16 1085440 ----a-w- c:\windows\system32\libeay32.dll
2011-10-12 15:58 . 2009-12-10 15:15 152968 ----a-w- c:\windows\system32\RalinkGina.dll
2011-10-12 15:58 . 2011-10-12 15:58 -------- d-----w- c:\program files\Tenda
2011-10-12 15:58 . 2010-04-14 23:31 238944 ----a-w- c:\windows\system32\RaCoInst.dll
2011-10-12 15:58 . 2010-04-14 22:39 827488 ----a-w- c:\windows\system32\drivers\rt2870.sys
2011-10-12 15:58 . 2011-10-12 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tenda Driver
2011-10-12 15:06 . 2011-10-12 15:06 -------- d-----w- c:\documents and settings\cmgreg\Local Settings\Application Data\Trend Micro
2011-10-12 15:05 . 2011-10-12 15:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trend Micro
2011-10-12 15:04 . 2011-08-02 20:44 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-10-12 15:04 . 2011-07-12 11:14 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-10-12 15:04 . 2011-07-12 11:13 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-10-12 15:04 . 2011-07-12 11:13 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-12 15:00 . 2011-10-12 15:00 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2011-10-12 14:59 . 2011-10-12 22:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-12 14:57 . 2011-10-14 11:54 -------- d-----w- c:\program files\Trend Micro
2011-10-08 02:00 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3FB5845D-6F29-4E0C-AC54-5E1B552767D7}\mpengine.dll
2011-09-26 15:41 . 2011-09-26 15:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41 . 2011-09-26 15:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
2011-09-24 00:48 . 2011-09-24 00:48 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver
2011-09-23 18:49 . 2010-10-29 14:14 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2011-09-23 18:49 . 2010-10-29 14:14 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2011-09-23 18:49 . 2010-10-29 14:14 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2011-09-23 16:50 . 2011-09-23 16:50 0 ----a-w- c:\windows\invcol.tmp
2011-09-23 16:38 . 2011-08-09 21:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-09-23 16:38 . 2011-09-23 16:38 -------- d-----w- c:\program files\Belarc
2011-09-23 16:35 . 2011-09-23 16:36 -------- d-----w- c:\program files\Digital Line Detect
2011-09-23 16:29 . 2011-10-14 10:56 -------- d-----w- c:\documents and settings\cmgreg\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-11 23:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-11 23:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-12 23:14 . 2008-02-19 12:13 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-09-09 09:12 . 2004-08-11 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-11 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-11 23:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2006-04-27 13:33 . 2006-04-27 13:33 946264 ----a-w- c:\program files\Common Files\ioaFlatGrid.ocx
2006-04-27 13:33 . 2006-04-27 13:33 82030 ----a-w- c:\program files\Common Files\ioaFieldSelectionDialog.dll
2006-04-27 13:33 . 2006-04-27 13:33 61531 ----a-w- c:\program files\Common Files\ioaToolTip.dll
2006-04-27 13:33 . 2006-04-27 13:33 61529 ----a-w- c:\program files\Common Files\ioaTabControl.ocx
2006-04-27 13:33 . 2006-04-27 13:33 49255 ----a-w- c:\program files\Common Files\ioaSubclassTimer.dll
2006-04-27 13:33 . 2006-04-27 13:33 426085 ----a-w- c:\program files\Common Files\ioaDecisionTree.ocx
2006-04-27 13:33 . 2006-04-27 13:33 421977 ----a-w- c:\program files\Common Files\ioaCommandBar.ocx
2006-04-27 13:33 . 2006-04-27 13:33 41055 ----a-w- c:\program files\Common Files\ioaSliderControl.ocx
2006-04-27 13:33 . 2006-04-27 13:33 372823 ----a-w- c:\program files\Common Files\ioaDataProvider.dll
2006-04-27 13:33 . 2006-04-27 13:33 254051 ----a-w- c:\program files\Common Files\ioaControls2B.ocx
2006-04-27 13:33 . 2006-04-27 13:33 168031 ----a-w- c:\program files\Common Files\ioaProcessViewer.ocx
2006-04-27 13:33 . 2006-04-27 13:33 114786 ----a-w- c:\program files\Common Files\ioaPopupMenu2.dll
2006-04-27 13:33 . 2006-04-27 13:33 45154 ----a-w- c:\program files\Common Files\ioaAccelerator.ocx
2006-03-14 16:13 . 2006-03-14 16:13 2629632 ----a-w- c:\program files\Common Files\IntactixSplashServer.dll
2006-01-30 02:10 . 2006-01-30 02:10 32819 ----a-w- c:\program files\Common Files\IXInformer.exe
2006-01-30 01:58 . 2006-01-30 01:58 9728 ----a-w- c:\program files\Common Files\IXInformer.InterOp.dll
2003-09-11 13:17 . 2003-09-11 13:17 40960 ----a-w- c:\program files\Common Files\ioaFolderBrowse.dll
2003-08-12 17:49 . 2003-08-12 17:49 73728 ----a-w- c:\program files\Common Files\ioalMDITabs.dll
2002-07-29 13:42 . 2002-07-29 13:42 45056 ----a-w- c:\program files\Common Files\ioaDockControl.ocx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-10-29 2498560]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 20531]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-08-02 129304]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-08-02 1300672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-4-9 1421328]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-9-23 24576]
Tenda Wireless Utility.lnk - c:\program files\Tenda\Common\RaUI.exe [2011-10-12 382464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBM\\Client Access\\cwbunnav.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"9220:TCP"= 9220:TCP:207.223.0.140/255.255.255.255:Enabled:tcp port 9220
"161:UDP"= 161:UDP:207.223.0.140/255.255.255.255:Enabled:udp port 161
.
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/12/2011 11:04 AM 68368]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [10/12/2011 10:58 AM 200632]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [10/18/2005 5:11 PM 61440]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/13/2011 4:35 PM 141792]
R2 Mobility Time Manager;Mobility Time Manager;c:\program files\A-B\Mobility Time Manager\ABMTimeManager.exe [6/12/2009 6:57 PM 18944]
R2 MSSQL$ABMSQL;SQL Server (ABMSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 7:29 PM 29293408]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [10/12/2011 11:58 AM 19072]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 7:00 PM 5120]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/1/2010 7:37 PM 374152]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/5/2011 3:13 PM 401920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\User_Feed_Synchronization-{C6B1EEB9-5AB9-45C3-91A4-DBC282D542A8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: ab-sales.com
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{D04CEB9D-FD69-4E59-80C1-3EF5846F5E04}: NameServer = 192.168.2.5,192.168.2.2
DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_Calendar.cab
DPF: {37D01D1F-7F85-4455-88DA-6328863886E8} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_HI_Client.cab
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxps://vportal.publix.biz/VPMDWeb/Reserved.ReportViewerWebControl.axd?ReportSession=n0fy2siyiubca4m4mxhfb045&ControlID=8c7da7aa59994b9f896a210e99eb4ee3&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {819647C8-39C0-4C59-811C-928277815701} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_OutBound_mail.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_Desktop_Integration.cab
DPF: {B66D7C9D-905F-4A8E-A919-F6190334B9D0} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_HI_Client.cab
DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.abmarketing.com/SAXFile/SAXFile.cab
DPF: {C1FC96DA-81BE-4836-B3A5-958F55E56E8E} - hxxps://secure.ab-sales.com/echannelcg_enu/19251/applets/SiebelAx_OutBound_mail.cab
DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxps://ab-sales.com/echannelcg_enu/19221/applets/,DanaInfo=sblprmcprabc.corp.anheuser-busch.com,SSL+SiebelAx_HI_Client.cab
DPF: {E4F2DB99-72F9-40CE-8B98-AF9615C99CEE} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_Calendar.cab
DPF: {EAE0D004-1B84-4F67-AA92-35B3A0B4F045} - hxxps://secure.ab-sales.com/echannelcg_enu/19234/applets/SiebelAx_OutBound_mail.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-Siebel Update - c:\documents and settings\cmgreg\Local Settings\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.dll
HKCU-Run-DisplayVerifierVerifier - c:\documents and settings\All Users\Application Data\DisplayVerifierVerifier.dll
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 07:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004894773-2524219033-1158469246-1138\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1384)
c:\windows\system32\biolsp.dll
.
- - - - - - - > 'explorer.exe'(2164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\progra~1\MICROS~2\Office12\OLKFSTUB.DLL
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Tenda\Common\RaRegistry.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
.
**************************************************************************
.
Completion time: 2011-10-19 07:30:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-19 11:30
.
Pre-Run: 29,110,370,304 bytes free
Post-Run: 29,774,557,184 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9165B7ABF9EE02ABD99C76078B9D25A0

Attached Files


Edited by RPMcMurphy, 19 October 2011 - 08:23 PM.
add log


#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 19 October 2011 - 08:31 PM

clifffy:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-
"9220:TCP"=-
"161:UDP"=-

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Edited by RPMcMurphy, 19 October 2011 - 08:32 PM.
Removed extra space

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 clifffy

clifffy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 October 2011 - 12:57 PM

Here is the latest. Thank you again for all of your help. I have not had access to this machine (or time), hopefully not much is still wrong?
thanks,
clifffy

Attached Files



#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 28 October 2011 - 04:06 PM

clifffy:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 clifffy

clifffy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 01 November 2011 - 09:05 AM

RP,

My computer seems to working better, however, it is an old machine and speed was never it's strong suit. I did all of the steps you have recommended, and attached the latest log. Quite a number of threats are on the log, but i did not remove them. The google redirect is no longer hi jacking my searches, but i assume there is more work to finish?

Thanks again to you and your team for you do on this site!

ClifffyAttached File  ESET.txt   1.67KB   2 downloads

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 01 November 2011 - 01:50 PM

clifffy:

Those ESET detections are safely are either already in quarantine or your system restore cache - they will all be cleared when we uninstal ComboFix. All I have left for you is another update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 07 November 2011 - 08:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users