Jump to content

dougcoleman

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

Reputation

0 Neutral
  1. dougcoleman
    AN UPDATE : For myriad reasons, I made a xp slip streamed sp3 disk and did a non destructive re-installation of XP. I was able to run Malwarebytes. I will attach all logfiles here, this time zipping the right ones, and pasting the dds results. I did have one instance of a redirect since then, on google but not to clickcheck. On firefox. Here is the Malwarebytes log Malwarebytes' Anti-Malware 1.44 Database version: 3635 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 1/25/2010 9:57:05 AM mbam-log-2010-01-25 (09-57-05).txt Scan type: Quick Scan Objects scanned: 127158 Time elapsed: 14 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the dds log DDS (Ver_09-12-01.01) - NTFSx86 Run by Doug at 21:24:20.73 on Mon 01/25/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1328 [GMT -5:00] AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\RocketDock\RocketDock.exe C:\Program Files\NETGEAR\PS121v2\PS121v2.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Doug\Desktop\INSTALLERS\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://finance.yahoo.com/ uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup uRun: [sIDEBAR] "c:\program files\desktop sidebar\dsidebar.exe" uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe" uRun: [scmsvcDraw] rundll32.exe "c:\documents and settings\doug\local settings\application data\scmsvcdraw\scmsvcDraw.dll", DllInit uRun: [unHackMe Monitor] c:\program files\unhackme\hackmon.exe mRun: [WG511WLU] c:\program files\netgear\wg511\utility\WG511WLU.exe -hide mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [blackArmorBackupMonitor.exe] c:\program files\seagate\blackarmorbackup\BlackArmorBackupMonitor.exe mRun: [AcronisTimounterMonitor] c:\program files\seagate\blackarmorbackup\TimounterMonitor.exe mRun: [seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe StartupFolder: c:\docume~1\doug\startm~1\programs\startup\bj status monitor canon mp780 series printer.lnk - c:\documents and settings\doug\cnmss Canon MP780 Series Printer (Local).exe StartupFolder: c:\docume~1\doug\startm~1\programs\startup\bj status monitor network canon mp780 series printer (copy 1).lnk - c:\documents and settings\doug\cnmss Network Canon MP780 Series Printer (Copy 1) (Local).exe StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Audible Download Manager.lnk.disabled StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe uPolicies-explorer: MaxRecentDocs = 99 (0x63) mPolicies-system: HideShutdownScripts = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: turbotax.com Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\doug\applic~1\mozilla\firefox\profiles\aozilvgr.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.rawstory.com/ FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll FF - component: c:\documents and settings\doug\application data\mozilla\firefox\profiles\aozilvgr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\doug\application data\mozilla\firefox\profiles\aozilvgr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll FF - plugin: c:\program files\mozilla firefox\plugins\np32dsw.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll FF - plugin: c:\program files\mozilla firefox\plugins\NpPopup.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\minefield\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", ""); c:\program files\minefield\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", ""); c:\program files\minefield\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-f-CN", ""); ============= SERVICES / DRIVERS =============== R0 CFRPD;cfrpd;c:\windows\system32\drivers\CFRPD.sys [2009-8-4 56736] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-22 64288] R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-1-11 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-1-11 172592] R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-17 529456] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-1-11 501888] R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2006-12-19 20480] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-1-11 116272] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328] R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-1-11 126392] R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-7-23 617968] R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2005-11-27 16194] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-27 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100119.001\IDSXpx86.sys [2010-1-19 329592] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100125.003\NAVENG.SYS [2010-1-25 84912] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100125.003\NAVEX15.SYS [2010-1-25 1323568] R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [2007-11-19 12032] R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [2007-11-19 39424] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [2007-12-19 393472] S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-1-24 34760] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-1-1 25244] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2a.tmp --> c:\windows\system32\2A.tmp [?] S3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\drivers\NETGEARUCOMP.sys [2007-11-19 12672] S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-1-24 24416] S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\windows\system32\drivers\MA521nd5.sys [2005-11-28 158848] S4 PCCare Premium;PCCare Premium; [x] =============== Created Last 30 ================ 2010-01-25 12:53:58 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe 2010-01-25 12:52:56 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll 2010-01-25 12:51:59 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll 2010-01-25 12:50:57 78848 -c--a-w- c:\windows\system32\dllcache\dayi.ime 2010-01-25 12:49:51 20538 -c--a-w- c:\windows\system32\dllcache\fpremadm.exe 2010-01-25 12:42:05 488 ---ha-r- c:\windows\system32\logonui.exe.manifest 2010-01-25 12:41:52 749 ---ha-r- c:\windows\WindowsShell.Manifest 2010-01-25 12:41:52 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest 2010-01-25 12:41:52 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest 2010-01-25 12:41:52 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest 2010-01-25 12:41:20 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe 2010-01-25 04:06:20 5208 ----a-w- c:\windows\system32\pid.PNF 2010-01-25 02:23:31 0 d-----w- C:\XP_SP3 2010-01-25 02:11:26 0 d-----w- c:\program files\nLite 2010-01-25 01:27:23 331805736 ----a-w- C:\XPSP3.exe 2010-01-25 01:15:24 2048 ----a-w- C:\w2ksect.bin 2010-01-25 01:15:24 0 d-----w- C:\cds 2010-01-25 00:45:48 0 d-----w- C:\XPSETUP 2010-01-24 23:51:04 0 d-----w- c:\program files\Panda Security 2010-01-24 23:46:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-24 23:46:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-24 23:46:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-24 21:04:13 0 ----a-w- c:\documents and settings\doug\defogger_reenable 2010-01-24 18:43:42 0 d-----w- C:\temp 2010-01-24 15:54:38 24416 ----a-w- c:\windows\system32\drivers\regguard.sys 2010-01-24 14:55:56 2 --shatr- c:\windows\winstart.bat 2010-01-24 14:55:13 35040 ----a-w- c:\windows\system32\Partizan.exe 2010-01-24 14:55:13 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys 2010-01-24 14:54:42 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys 2010-01-24 14:54:36 0 d-----w- c:\program files\UnHackMe 2010-01-23 00:44:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-01-23 00:41:40 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2010-01-23 00:36:11 1374 ----a-w- c:\windows\imsins.BAK 2010-01-20 01:40:15 43 ----a-w- c:\windows\gswin32.ini 2010-01-19 22:32:18 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2010-01-19 22:32:18 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys 2010-01-19 22:32:18 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2010-01-19 22:32:17 0 d-----w- c:\program files\LG Electronics 2010-01-19 22:23:08 29960 ----a-w- c:\windows\setupapi.old 2010-01-19 17:12:33 2100 ----a-w- c:\windows\system32\BioPdf.PdfWriter.Lib.tlb 2010-01-19 17:09:29 0 d-----w- c:\program files\PDF_PRINTER 2010-01-19 14:37:47 0 d-----w- c:\program files\MSECache 2010-01-16 19:38:30 0 d-----w- c:\program files\SyncToy 2.1 2010-01-12 01:52:08 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys 2009-12-31 00:58:38 0 d-----w- c:\program files\itunes_album_art 2009-12-30 21:02:19 13824 ----a-w- c:\documents and settings\doug\cnmss Canon MP780 Series Printer (Local).exe 2009-12-30 21:01:03 13824 ----a-w- c:\documents and settings\doug\cnmss Network Canon MP780 Series Printer (Copy 1) (Local).exe 2009-12-30 19:50:05 0 d-----w- c:\docume~1\doug\applic~1\Seagate 2009-12-30 17:09:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate 2009-12-30 16:47:47 971552 ----a-w- c:\windows\system32\drivers\tdrpm174.sys 2009-12-30 16:47:39 568384 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-12-30 16:47:22 134272 ----a-w- c:\windows\system32\drivers\snman380.sys 2009-12-30 16:46:50 0 d-----w- c:\program files\common files\Seagate 2009-12-30 16:36:17 0 d-----w- c:\program files\Seagate 2009-12-29 04:49:22 0 d-----w- c:\docume~1\doug\applic~1\Tific 2009-12-29 04:31:05 0 d-----w- c:\program files\Sonos 2009-12-29 04:27:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Sonos ==================== Find3M ==================== 2010-01-25 14:37:05 11242 -c--a-w- c:\windows\system32\nvModes.dat 2010-01-25 12:40:30 22704 -c--a-w- c:\windows\system32\emptyregdb.dat 2010-01-24 03:21:00 175184 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT 2010-01-21 01:35:33 172072 -c--a-w- c:\docume~1\doug\applic~1\GDIPFONTCACHEV1.DAT 2010-01-01 17:01:34 131492 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr 2009-12-03 03:33:04 737280 -c--a-w- c:\windows\iun6002.exe 2009-11-30 22:57:20 77348 ----a-w- c:\windows\hpqins05.dat 2009-11-01 23:55:14 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2009-11-01 23:55:14 249856 ----a-w- c:\windows\system32\pdfmona.dll 2008-07-16 18:27:05 262144 -c--a-w- c:\program files\Uninstall Spy Blocker.dll 2000-01-20 03:41:14 49664 -c----w- c:\program files\JEZZBALL.EXE 2008-05-10 20:52:15 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051020080511\index.dat ============= FINISH: 21:25:13.16 =============== Attach2.zip DDS2.txt mbam_log_2010_01_25__09_57_05_.txt
  2. dougcoleman
    I am creating this post as a result of posting in another area. I have read topic 9573 "I'm Infected...." Noticed the other week after regrettably downloading a free pdf printer utility ((Bullzip)that lets you print to a pdf file) the following. I should start by saying that I did not successfully install Bullzip, as it kept asking for HP driver files to work with the Ghost-script emulator. I removed the Bullzip install files, and as it had installed Ghostscript before I got to the point of abandoning the install, I uninstalled Ghostscript through the control panel. I noticed that when I started up windows (I usually keep my computer on 24/7, so I only restart when installing something or if something crashes) that my print monitor would appear on the desktop during the boot up. This had never happened before. The printer icon would also appear in the systray, but when I floated over it to see that might balloon up, the icon would disappear. The printer in question is a Canon MP 780 connected through a Netgear ps121. Then two days ago I start to notice that I am being redirected to ClickCheck from Google searches. Not always, in fact probably 10 percent of the time. You can't seem to right click to back out, but you can pull down the history adjacent to the forward/back buttons. This is when using the latest version of Firefox. I am also occasionally getting error messages from Firefox that say "URL is not valid and cannot be loaded ". At first, I found that the google toolbar being disabled as a firefox extension worked in solving this problem. When it would originally appear, you could close it and the window would work fine. Lately, It will pop up while doing a Google search and keep persisting so you can never complete the search. The search terms were not necessarily malware related. I also noticed an update to ie8 from Microsoft that came off schedule from patch Tuesday. In researching the clickcheck situation i saw a lot of postings on the google redirect virus, and i thought this all might be connected. I downloaded and installed the MS ie8 patch. Since downloading the patch, I have used ie8 once, when the problem with Firefox and the "URL is not valid" problem showed up. I was redirected to a Hong Kong tailoring site when I searched for something. In trying to fulfill the instructions of the 9573 document from the Malwarebyte forums, I tried to run Malwarebytes. I had it previously installed, and it always ran in the past. I kept getting the 50003 error. Same is true with Hijack This. Note that when I was trying to install and run Malwarebytes, I tried to rename the comctl32.dll,ocx, and comdlg32.dll and ocx. Windows kept replacing the comdlg file, as noted in one of the log file lines. This is pasted from attach.txt: 1/23/2010 11:10:20 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file comdlg32.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512. 1/23/2010 11:09:52 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file comctl32.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.82.2900.5512. I did perform everything else in the 9573 document, and I am attaching the files here, as well as pasting the GREM log. GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-24 18:42:15 Windows 5.1.2600 Service Pack 3 Running: so0nf22h.exe; Driver: C:\DOCUME~1\Doug\LOCALS~1\Temp\pxtdapow.sys ---- System - GMER 1.0.15 ---- SSDT 8A0F2050 ZwAlertResumeThread SSDT 8A0F3050 ZwAlertThread SSDT 8A8A7F38 ZwAllocateVirtualMemory SSDT 8A0E0050 ZwAssignProcessToJobObject SSDT 8A9671B8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB41CC210] SSDT 8A94E080 ZwCreateMutant SSDT 8A9C6FC0 ZwCreateSymbolicLinkObject SSDT 8A8A0B38 ZwCreateThread SSDT 8A0E2050 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB41CC490] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB41CC9F0] SSDT 8A930548 ZwDuplicateObject SSDT 8A8A7D98 ZwFreeVirtualMemory SSDT 8A0EE050 ZwImpersonateAnonymousToken SSDT 8A0F0050 ZwImpersonateThread SSDT 8A9ED340 ZwLoadDriver SSDT 8A8A53C0 ZwMapViewOfSection SSDT 8A0EA050 ZwOpenEvent SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xB41CC7A0] SSDT 8A525630 ZwOpenProcess SSDT 8A89D350 ZwOpenProcessToken SSDT 8A0E6050 ZwOpenSection SSDT 8A5235E8 ZwOpenThread SSDT 8A517908 ZwProtectVirtualMemory SSDT 8A0F5050 ZwResumeThread SSDT 8A118050 ZwSetContextThread SSDT 8A8A5268 ZwSetInformationProcess SSDT 8A0E3050 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB41CCC40] SSDT 8A0E8050 ZwSuspendProcess SSDT 8A89E050 ZwSuspendThread SSDT 8A894398 ZwTerminateProcess SSDT 8A12F050 ZwTerminateThread SSDT 8A54F050 ZwUnmapViewOfSection SSDT 8A8A7E68 ZwWriteVirtualMemory ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \FileSystem\Ntfs \Ntfs cfrpd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- EOF - GMER 1.0.15 ---- Attach.zip ark.txt
  3. dougcoleman
    I am getting very frustrated and concerned having noticed the redirect virus from google always sending me to clickcheck. When I try to run Malwarebytes I have the runtime error of 50003. I was changing the comctl32.dll and ocx files, and the comdlg32.dll and ocx files as suggested. I noticed that as I renamed comdlg32.dll to old_comdlg32.dll that the original comdlg32.dll would replicate itself. I renamed it several times and it kept coming back. I then deleted it, and again, it kept coming back. I can't run malwarebytes, or hijack this. "I get the unexpected error 50003". I have run Adaware,spybot s&D, and trend housecall. I also ran avenger with the suggested script found on the web, and it reported no rootkits. I am running XP SP3. I run Norton 2010, with all of the default settings that came installed.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.