Rique

Malware/Virus that Isn't being Detected

14 posts in this topic

Hello,

First, I appreciate any help you could give me in getting rid of whatever malware I have on my machine. I am running Windows XP, SP3. Last week, while surfing online (using IE), an error window popped up saying the program needed to terminate. Shortly after re-opening the program the anti-virus software (Trend-Micro) gave an alert that a dangerous website (pda.mv.bidsystem) was attempting to open but was successfully blocked. These redirects have been occuring ever since.

The anti-virus software has not detected anything. After running both Spybot and Malwarebytes (both detecting a few minor files which were promptly removed), the redirect attempts persisted (always blocked by anti-virus software). Now, the anti-virus software, Spybot, and Malwarebytes have been unable to detect any issues, despite the problems continuing. I have run all three programs in both normal and safe mode.

Below is the last Malwarebytes log file and DDS/GMER log files that were requested. All were generated under safe-mode. Again, I appreciate any help you could provide. Thanks!

#################

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7696

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

9/15/2011 6:31:44 PM

mbam-log-2011-09-15 (18-31-43).txt

Scan type: Quick scan

Objects scanned: 181782

Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

#########################

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 7.0.5730.13

Run by Jamie at 18:41:20 on 2011-09-15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1723 [GMT -4:00]

.

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Jamie\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=presario&pf=laptop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\jamie\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [nsWebPath] rundll32.exe "c:\documents and settings\jamie\local settings\application data\unimouseservices\nsWebPath.dll",i18UserPort BthPathmm

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [WdGLxx] rundll32.exe "c:\documents and settings\jamie\local settings\application data\winglwan\WdGLxx.dll",wmicfgTask nsWebPlay

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

StartupFolder: c:\docume~1\jamie\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: duke.edu\idcri.dcri

Trusted Zone: duke.edu\idcri2.dcri

DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://idcri2.dcri.duke.edu/vdesk/cachecleaner.cab#version=7000,2010,0611,2020

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/69.09/uploader2.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/f5tunsrv.cab#version=7000,2010,611,2051

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/InstallerControl.cab

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/f5InspectionHost.cab#version=7000,2010,0611,2024

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/urxshost.cab#version=7000,2010,611,2044

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/urxhost.cab#version=7000,2010,611,2119

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://idcri2.dcri.duke.edu/policy/download_binary.php/win32/f5syschk.cab#Version=7000,2010,0611,2049

TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62

TCP: Interfaces\{30283590-6D05-4CBD-B7FD-7393CF17E9B5} : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]

S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-8 91456]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-5 58448]

S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-9-30 249424]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-9-30 36432]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-18 24652]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689488]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]

.

=============== Created Last 30 ================

.

2011-09-11 19:06:30 -------- d-----w- c:\documents and settings\jamie\application data\Malwarebytes

2011-09-11 19:06:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-11 19:06:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-11 19:06:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-11 19:06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-10 23:12:09 -------- d-----w- c:\windows\pss

2011-09-10 21:33:21 -------- d-----w- c:\documents and settings\jamie\local settings\application data\winGLWan

2011-09-10 15:42:56 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-10 15:42:56 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-09-09 23:47:19 -------- d-----w- c:\documents and settings\jamie\local settings\application data\uniMouseServices

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45:57 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 18:42:52.20 ===============

##############

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit quick scan 2011-09-15 18:47:00

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C

Running: l1ijk6ez.exe; Driver: C:\DOCUME~1\Jamie\LOCALS~1\Temp\fxtyapog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

I appreciate your help. Below are the log files you requested.

#######

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7733

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

9/17/2011 9:32:09 AM

mbam-log-2011-09-17 (09-32-09).txt

Scan type: Quick scan

Objects scanned: 180957

Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

#######

ComboFix 11-09-16.01 - Jamie 09/17/2011 10:10:31.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1612 [GMT -4:00]

Running from: c:\documents and settings\Jamie\Desktop\ComboFix.exe

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL1E2.tmp.90ba6ae7.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL84.tmp.c67ef9e5.ini

c:\documents and settings\All Users\Start Menu\Programs\System Recovery

c:\documents and settings\All Users\Start Menu\Programs\System Recovery\Application & Driver Recovery.lnk

c:\documents and settings\All Users\Start Menu\Programs\System Recovery\PC Recovery Disc Creator.lnk

c:\documents and settings\All Users\Start Menu\Programs\System Recovery\PC Recovery.lnk

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\HpqDIA.exe.6faf1b3a.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\IEActivex.exe.cccdbce.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\SL1E2.tmp.90ba6ae7.ini

c:\documents and settings\Jamie\Local Settings\Application Data\ApplicationHistory\SL84.tmp.c67ef9e5.ini

c:\documents and settings\Jamie\Local Settings\Application Data\uniMouseServices\nsWebPath.dll

c:\documents and settings\Jamie\Local Settings\Application Data\winGLWan\WdGLxx.dll

c:\documents and settings\Jamie\WINDOWS

c:\program files\Microsoft Office\Office11\OSA.exe

c:\program files\Skype\Plugin Manager\SkypePM.exe

c:\windows\system32\d3d9caps.dat

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))

.

.

2011-09-11 19:06 . 2011-09-11 19:06 -------- d-----w- c:\documents and settings\Jamie\Application Data\Malwarebytes

2011-09-11 19:06 . 2011-09-11 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-09-11 19:06 . 2011-09-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-11 19:06 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-10 21:33 . 2011-09-17 14:15 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\winGLWan

2011-09-10 15:42 . 2011-09-10 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-09-10 15:42 . 2011-09-10 15:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-09 23:47 . 2011-09-17 14:15 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\uniMouseServices

2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 10:17 . 2004-08-04 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-15 13:29 . 2005-01-19 12:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-04 21:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2004-08-04 21:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-04 21:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-04 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-04 21:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-04 21:00 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-04 21:00 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2011-03-23 866784]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

.

c:\documents and settings\Jamie\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2007-1-21 299008]

HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"38293:UDP"= 38293:UDP:Symantec - Intel PDS listening for Ping Packets

"2967:UDP"= 2967:UDP:Symantec - RTVScan request to Winsock

"21264:TCP"= 21264:TCP:Trend Micro OfficeScan Listener

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 9:29 PM 135664]

S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [8/8/2010 6:06 PM 91456]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/5/2010 4:01 PM 58448]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [9/30/2009 3:38 PM 249424]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [9/30/2009 3:37 PM 36432]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 3:27 PM 24652]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 9:29 PM 135664]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 5:37 PM 689488]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 1:57 PM 268528]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MDMXSDK

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:29]

.

2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 01:29]

.

2011-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1926652861-1391668054-1176334005-1005Core.job

- c:\documents and settings\Jamie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 13:40]

.

2011-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1926652861-1391668054-1176334005-1005UA.job

- c:\documents and settings\Jamie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 13:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

Trusted Zone: duke.edu\idcri.dcri

Trusted Zone: duke.edu\idcri2.dcri

TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-nsWebPath - c:\documents and settings\Jamie\Local Settings\Application Data\uniMouseServices\nsWebPath.dll

HKCU-Run-WdGLxx - c:\documents and settings\Jamie\Local Settings\Application Data\winGLWan\WdGLxx.dll

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-17 10:17

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xc??????(?@???????@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-09-17 10:20:05

ComboFix-quarantined-files.txt 2011-09-17 14:20

.

Pre-Run: 76,699,893,760 bytes free

Post-Run: 76,911,702,016 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 138DCA109EC78C9485AED06B7B27ADBF

#######

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 7.0.5730.13

Run by Jamie at 10:23:19 on 2011-09-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1632 [GMT -4:00]

.

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

StartupFolder: c:\docume~1\jamie\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: duke.edu\idcri.dcri

Trusted Zone: duke.edu\idcri2.dcri

DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://idcri2.dcri.duke.edu/vdesk/cachecleaner.cab#version=7000,2010,0611,2020

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/69.09/uploader2.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/f5tunsrv.cab#version=7000,2010,611,2051

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/InstallerControl.cab

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/f5InspectionHost.cab#version=7000,2010,0611,2024

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/urxshost.cab#version=7000,2010,611,2044

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://idcri2.dcri.duke.edu/vdesk/terminal/urxhost.cab#version=7000,2010,611,2119

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://idcri2.dcri.duke.edu/policy/download_binary.php/win32/f5syschk.cab#Version=7000,2010,0611,2049

TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62

TCP: Interfaces\{30283590-6D05-4CBD-B7FD-7393CF17E9B5} : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]

S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-8 91456]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-5 58448]

S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-9-30 249424]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-9-30 36432]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-18 24652]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689488]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]

.

=============== Created Last 30 ================

.

2011-09-17 14:08:36 -------- d-sha-r- C:\cmdcons

2011-09-17 14:04:06 98816 ----a-w- c:\windows\sed.exe

2011-09-17 14:04:06 518144 ----a-w- c:\windows\SWREG.exe

2011-09-17 14:04:06 256000 ----a-w- c:\windows\PEV.exe

2011-09-17 14:04:06 208896 ----a-w- c:\windows\MBR.exe

2011-09-11 19:06:30 -------- d-----w- c:\documents and settings\jamie\application data\Malwarebytes

2011-09-11 19:06:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-11 19:06:12 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-11 19:06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-10 23:12:09 -------- d-----w- c:\windows\pss

2011-09-10 21:33:21 -------- d-----w- c:\documents and settings\jamie\local settings\application data\winGLWan

2011-09-10 15:42:56 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-10 15:42:56 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-09-09 23:47:19 -------- d-----w- c:\documents and settings\jamie\local settings\application data\uniMouseServices

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45:57 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 10:23:59.65 ===============

Share this post


Link to post
Share on other sites

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Thanks for the easy-to-follow instructions. I ran both programs as requested, and the log files are below. I did uninstall Viewpoint (thanks for filling me in on this). The ESET program reported removing several files. As of yet, there have been no further issues with redirects, or any other signs of trouble. Thanks again for all the continued help!

#######

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=c69b08bfda197f41b9c460c053d0ea73

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-18 05:03:26

# local_time=2011-09-18 01:03:26 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 53556118 53556118 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=130100

# found=6

# cleaned=6

# scan_time=4793

C:\Program Files\OpenAFS\Client\Program\afscreds.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jamie\Local Settings\Application Data\uniMouseServices\nsWebPath.dll.vir a variant of Win32/Sefnit.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jamie\Local Settings\Application Data\winGLWan\WdGLxx.dll.vir a variant of Win32/Sefnit.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP2\A0000263.dll a variant of Win32/Sefnit.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP2\A0000264.dll a variant of Win32/Sefnit.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP2\A0000388.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

#######

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Trend Micro OfficeScan Client

Antivirus out of date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

SAS Private JRE (J2SE Java Runtime Environment 1.4.1)

Out of date Java installed!

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Share this post


Link to post
Share on other sites

SAS Private JRE is part of a program that I used often a while ago. I am planning on removing the larger program soon, but haven't gotten around to it yet.

Share this post


Link to post
Share on other sites

Okay. Please do.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Next, please visit Windows Update and download all critical updates, including Internet Explorer 8.

Let me know what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Okay, I have made all the necessary updates. Only one problem remains, which seems to have begun yesterday. When we visit amazon.com, we get a warning from our virus software that a malicious website is trying to open (sis [dot] amazon [dot] com). This ONLY occurs when visiting amazon. If scripts are disabled, this does not occur. It seems to be the last script run when opening the page. This is also occuring on another machine of ours.

No other websites have triggered any type of warning. The original warnings that prompted this thread have ceased.

I really appreciate your help with all this. 6 years without any computer issues and then all of a sudden! I appreciate your patience with me.

Share this post


Link to post
Share on other sites

And just like that, everything is fine. For two days we received this error. Now, no error at all on any of our machines. So, I guess it isn't a problem.

We haven't had any further problems of any kind.

Share this post


Link to post
Share on other sites

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.