Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links opening incorrect pages


  • Please log in to reply
5 replies to this topic

#1 trentham

trentham

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 31 January 2012 - 06:08 AM

Had this problem for a few days now and have been unable to fix it. On google when I press a link for any page i get directed to pages like http://www.vacationclubinternational.com/ and http://t.jayxl.com/. Also Trend micro Client-server security agent has been constantly blocking sites trying to be accessed when I have not even been online.

Sorry but was in Operating systems initially so figured this was where to post my problem but I am pretty sure it is malware so am moving my HijackThis log to a now post in the correct sections Sorry

Edited by hamluis, 31 January 2012 - 08:23 AM.
Moved from XP to Am i Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:43 AM

Posted 31 January 2012 - 11:54 AM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 trentham

trentham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 31 January 2012 - 06:09 PM

Security Check log:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Trend Micro Client Server Security Agent
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 17
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.1.53.64) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Trend Micro OfficeScan Client pccntmon.exe
Windows Defender MsMpEng.exe
Windows Defender MSASCui.exe
Trend Micro Client Server Security Agent ntrtscan.exe
Trend Micro Client Server Security Agent tmlisten.exe
Trend Micro Client Server Security Agent TmPfw.exe
Trend Micro Client Server Security Agent CNTAoSMgr.exe
Trend Micro Client Server Security Agent tmproxy.exe
Trend Micro BM TMBMSRV.exe
``````````End of Log````````````


Farbar Service Scanner log:

Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) tmcfw(8)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

MiniToolbox log:

MiniToolBox by Farbar Version: 18-01-2012
Ran by Pat (administrator) on 01-02-2012 at 09:50:04
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® 82567LM-3 Gigabit Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D5QFMZ1S

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : vic.bigpond.net.au



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : vic.bigpond.net.au

Description . . . . . . . . . . . : Intel® 82567LM-3 Gigabit Network Connection

Physical Address. . . . . . . . . : 00-23-AE-5A-C3-DD

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.186

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.138

192.168.0.1

Lease Obtained. . . . . . . . . . : Wednesday, 1 February 2012 7:43:40 AM

Lease Expires . . . . . . . . . . : Wednesday, 8 February 2012 7:43:40 AM

Server: SpeedTouch.vic.bigpond.net.au
Address: 10.0.0.138

Name: google.com
Addresses: 74.125.237.19, 74.125.237.16, 74.125.237.18, 74.125.237.17
74.125.237.20



Pinging google.com [74.125.237.20] with 32 bytes of data:



Reply from 74.125.237.20: bytes=32 time=46ms TTL=51

Reply from 74.125.237.20: bytes=32 time=47ms TTL=51



Ping statistics for 74.125.237.20:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 46ms, Maximum = 47ms, Average = 46ms

Server: SpeedTouch.vic.bigpond.net.au
Address: 10.0.0.138

Name: yahoo.com
Addresses: 98.137.149.56, 98.139.180.149, 209.191.122.70, 72.30.2.43



Pinging yahoo.com [98.139.180.149] with 32 bytes of data:



Reply from 98.139.180.149: bytes=32 time=323ms TTL=41

Reply from 98.139.180.149: bytes=32 time=335ms TTL=41



Ping statistics for 98.139.180.149:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 323ms, Maximum = 335ms, Average = 329ms

Server: SpeedTouch.vic.bigpond.net.au
Address: 10.0.0.138

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 23 ae 5a c3 dd ...... Intel® 82567LM-3 Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.186 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.186 192.168.0.186 20
192.168.0.186 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.186 192.168.0.186 20
224.0.0.0 240.0.0.0 192.168.0.186 192.168.0.186 20
255.255.255.255 255.255.255.255 192.168.0.186 192.168.0.186 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/31/2012 08:00:29 PM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/31/2012 08:00:29 PM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/31/2012 06:07:29 PM) (Source: Application Error) (User: )
Description: Faulting application ib.exe, version 1.0.19968.1030, faulting module gdi32.dll, version 5.1.2600.5698, fault address 0x0001050c.
Processing media-specific event for [ib.exe!ws!]

Error: (01/31/2012 06:07:23 PM) (Source: Application Error) (User: )
Description: Windows cannot access the file E:\DCIM\100OLYMP\P1310001.JPG for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program P1310001.JPG because of this error.

Program: P1310001.JPG
File: E:\DCIM\100OLYMP\P1310001.JPG

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C000000D
Disk type: 2

Error: (01/31/2012 06:07:02 PM) (Source: Application Error) (User: )
Description: Faulting application hpqtra08.exe, version 110.0.180.0, faulting module unknown, version 0.0.0.0, fault address 0x003a0009.
Processing media-specific event for [hpqtra08.exe!ws!]

Error: (01/31/2012 03:14:58 PM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/31/2012 03:14:57 PM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/31/2012 10:16:00 AM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/31/2012 10:15:56 AM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM

Error: (01/29/2012 11:24:12 AM) (Source: Wave TCG Client Services) (User: )
Description: The NTRU TSS is not running, Wave Software is unable to communicate to TPM


System errors:
=============
Error: (02/01/2012 07:45:17 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/31/2012 10:40:42 PM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/31/2012 08:35:59 PM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/31/2012 03:16:12 PM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/31/2012 10:15:21 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/30/2012 09:34:09 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/29/2012 11:04:43 PM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/29/2012 06:56:42 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/28/2012 08:19:42 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.

Error: (01/28/2012 07:12:55 AM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.


Microsoft Office Sessions:
=========================
Error: (08/26/2011 10:40:55 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 263 seconds with 180 seconds of active time. This session ended with a crash.

Error: (05/24/2011 11:18:14 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 117 seconds with 60 seconds of active time. This session ended with a crash.

Error: (05/02/2011 03:16:14 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 47 seconds with 0 seconds of active time. This session ended with a crash.

Error: (02/01/2011 08:46:10 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 36 seconds with 0 seconds of active time. This session ended with a crash.

Error: (10/27/2010 06:52:54 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 117 seconds with 60 seconds of active time. This session ended with a crash.

Error: (08/23/2010 03:40:10 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 76 seconds with 60 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 2.1.5)
Adobe Flash Player 10 Plugin (Version: 10.1.53.64)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 9 (Version: 9.0.0)
AgriGater Horticulture (Version: 1.00.050)
Alcatel SpeedTouch USB Software
ALOT Toolbar
Bing Bar (Version: 7.0.822.0)
BioAPI Framework (Version: 1.0.1)
biolsp patch (Version: 01.00.02.0005)
BufferChm (Version: 100.0.170.000)
Choice Guard (Version: 1.2.87.0)
Copy (Version: 100.0.170.000)
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder (Version: 1.00.0000)
CutePDF Writer 2.7
Dell Control Point (Version: 1.5.9.5)
Dell ControlPoint Security Manager (Version: 1.5.9.5)
Dell Embassy Trust Suite by Wave Systems (Version: 03.02.00.049)
Dell Security Device Driver Pack (Version: 1.00.25)
Destination Component (Version: 100.0.0.0)
DeviceDiscovery (Version: 110.0.180.000)
DeviceManagementQFolder (Version: 1.00.0000)
DJ_AIO_03_F2200_ProductContext (Version: 100.0.215.000)
DJ_AIO_03_F2200_Software (Version: 100.0.206.000)
DJ_AIO_03_F2200_Software_Min (Version: 100.0.239.000)
Document Manager Lite (Version: 06.09.00.042)
e-tax 2009 (Version: 1.0.0.0)
EMBASSY Security Center (Version: 03.09.00.032)
EMBASSY Security Setup (Version: 03.09.00.028)
ESC Home Page Plugin (Version: 03.04.00.013)
eSupportQFolder (Version: 1.00.0000)
F2200 (Version: 100.0.206.000)
F2200_Help (Version: 100.0.206.000)
Formatta Filler 7.0 (Version: 7.0)
Gemalto (Version: 01.01.00.0000)
Google Chrome (Version: 16.0.912.77)
Google Earth (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.79)
Google Updater (Version: 2.4.2432.1652)
GPBaseService (Version: 100.0.187.000)
GPBaseService2 (Version: 130.0.371.000)
HiJackThis (Version: 1.0.0)
HP Customer Participation Program 10.0 (Version: 10.0)
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3 (Version: 10.0)
HP Imaging Device Functions 10.0 (Version: 10.0)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 5.002.005.003)
HPProductAssistant (Version: 130.0.371.000)
HPSSupply (Version: 100.0.170.000)
Intel® Graphics Media Accelerator Driver
Intel® Network Connections 13.1.33.0 (Version: 13.1.33.0)
Intel® PRO Alerting Agent (Version: 12.0.3)
IRES v3.0
Java™ 6 Update 17 (Version: 6.0.170)
Java™ 6 Update 7 (Version: 1.6.0.70)
Junk Mail filter update (Version: 14.0.8050.1202)
Magpie 3 (Version: 3.0.0.0)
Malwarebytes' Anti-Malware
MarketResearch (Version: 100.0.170.000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access 2003 Runtime (Version: 11.0.8173.0)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6425.1000)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVC90_x86 (Version: 1.0.1.2)
MSVCRT (Version: 14.0.1468.721)
MSVCSetup (Version: 1.00.0000)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB927977) (Version: 6.00.3890.0)
Nokia Connectivity Cable Driver (Version: 7.1.41.0)
Nokia Ovi Suite (Version: 3.1.0.84)
Nokia Ovi Suite Software Updater (Version: 02.07.004.45780)
NTRU TCG Software Stack (Version: 2.1.28)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OLYMPUS ib (Version: 1.0.1101)
Ovi Desktop Sync Engine (Version: 1.5.257.0)
OviMPlatform (Version: 2.7.66.0)
PC Connectivity Solution (Version: 11.4.15.0)
PowerDVD (Version: 8.1)
Preboot Manager (Version: 02.07.00.026)
Private Information Manager (Version: 06.04.00.021)
PSSWCORE (Version: 2.02.0000)
QuickTime Alternative 2.8.0 (Version: 2.8.0)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Drag-to-Disc (Version: 9.1)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
Samsung PC Studio (Version: 3.0.0.60812)
Scan (Version: 10.1.0.0)
Secure Update (Version: 05.07.00.013)
Security Wizards (Version: 01.07.00.013)
Segoe UI (Version: 14.0.4327.805)
Shop for HP Supplies (Version: 10.0)
Skype Toolbars (Version: 5.0.4126)
Skype™ 5.0 (Version: 5.0.152)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 130.0.373.000)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
ST Microelectronics TPM Driver Installer (Version: 1.04.15)
Status (Version: 110.0.180.000)
TomTom HOME 2.7.3.1894 (Version: 2.7.3.1894)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
Toolbox (Version: 100.0.170.000)
TrayApp (Version: 110.0.180.000)
Trend Micro Client Server Security Agent (Version: 15.0.1307)
Trusted Drive Manager (Version: 2.6.0.80)
tsp patch (Version: 01.00.00.0000)
UnloadSupport (Version: 10.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951618-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
UPEK TouchChip Fingerprint Reader (Version: 1.0.0)
VideoToolkit01 (Version: 100.0.128.000)
VLC media player 0.9.8a (Version: 0.9.8a)
Wave Infrastructure Installer (Version: 06.01.24.0000)
Wave Support Software (Version: 05.10.00.023)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 100.0.170.000)
Windows Defender (Version: 1.1.1593.21)
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5) (Version: 01/07/2008 1.0.1.5)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15) (Version: 05/24/2007 1.00.04.15)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8050.1202)
Windows Live Communications Platform (Version: 14.0.8050.1202)
Windows Live Essentials (Version: 14.0.8050.1202)
Windows Live Mail (Version: 14.0.8050.1202)
Windows Live Messenger (Version: 14.0.8050.1202)
Windows Live Photo Gallery (Version: 14.0.8051.1204)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Sync (Version: 14.0.8050.1202)
Windows Live Toolbar (Version: 14.0.8052.1208)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8050.1202)
Windows Media Format 11 runtime
Windows Presentation Foundation (Version: 3.0.6920.0)
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack

========================= Memory info: ===================================

Percentage of memory in use: 41%
Total physical RAM: 1979.52 MB
Available physical RAM: 1166.16 MB
Total Pagefile: 3871.97 MB
Available Pagefile: 3220.24 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.81 MB

========================= Partitions: =====================================

2 Drive c: (OS) (Fixed) (Total:232.77 GB) (Free:165.07 GB) NTFS
4 Drive e: (KATE'S USB) (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT

========================= Users: ========================================

User accounts for \\D5QFMZ1S

Administrator Guest HelpAssistant
Kate Murphy Pat
SUPPORT_388945a0


**** End of log ****



Now running the Malwarebytes scan and having problem with aswMBR not working. Have downloaded it and run it but then nothing seems to happen.

*mod edit:HJT log removed. HJT logs are not allowed in Am I Infected? If logs are needed you will be directed to the Prep Guide in Malware Removal Logs ~ Queen-Evie*

Edited by Queen-Evie, 31 January 2012 - 07:06 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:43 AM

Posted 31 January 2012 - 06:46 PM

Post MBAM log.

Instead of aswMBR....

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

=================================================================

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 trentham

trentham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 31 January 2012 - 11:12 PM

Malwarebytes results:

There was 3 trojans found and removed, going to restart computer after this as the program advised and see if that made a difference

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.31.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Pat :: D5QFMZ1S [administrator]

Protection: Enabled

1/02/2012 10:07:40 AM
mbam-log-2012-02-01 (10-07-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282881
Time elapsed: 1 hour(s), 25 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\All Users\Application Data\PAwhgCLyHSr.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pat\Local Settings\Temp\17AF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pat\Local Settings\Temp\YqU4QYPl30Ds2A.exe.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.

(end)

Bootkit results:

Bootkit Remover
© 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...


ListParts by Farbar results:

************************************************************

========================= Memory info ======================

Percentage of memory in use: 47%
Total physical RAM: 1979.52 MB
Available physical RAM: 1038.04 MB
Total Pagefile: 3871.97 MB
Available Pagefile: 3010.27 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.84 MB

======================= Partitions =========================

2 Drive c: (OS) (Fixed) (Total:232.77 GB) (Free:165.06 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive e: (KATE'S USB) (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 55 MB 32 KB
Partition 2 Primary 233 GB 55 MB
Partition 3 Unknown 9 MB 233 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 233 GB Healthy Boot

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.


****** End Of Log ******

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:43 AM

Posted 31 January 2012 - 11:26 PM

You have the newest TDL rootkit there.
More advanced help will be needed.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

In addition to the above you may post ListParts by Farbar log as well.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users