Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Browser Hijack


  • This topic is locked This topic is locked

#1
Andrew_B

Andrew_B

    New Member

  • Member
  • Pip
  • 8 posts
Help. It appears that I've picked up some flavor of browser hijack. Since Friday I've had browser windows for dubious sites spontaneously appearing, pop-up dialogs telling me that I've won a $1,000 Wal-Mart gift card and Google search results directing me to sites other than the ones they should. Spybot S&D reported some issues that it claimed to have fixed but the problems still persist. AV software (Vipre Enterprise) reports no problems.

Any assistance in removing/resolving these issues will be greatly appreciated. OTL Quick Scan results are posted below. OTL Extras.txt file is attached.

Thanks,
Andy

<<< OTL QUICK SCAN RESULTS >>>

OTL logfile created on: 12/13/2010 12:00:16 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Program Files\OTL
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 16.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.17 Gb Total Space | 5.52 Gb Free Space | 7.06% Space Free | Partition Type: NTFS
Drive D: | 70.85 Gb Total Space | 70.78 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
Drive M: | 408.37 Gb Total Space | 175.20 Gb Free Space | 42.90% Space Free | Partition Type: NTFS
Drive N: | 78.37 Gb Total Space | 61.28 Gb Free Space | 78.19% Space Free | Partition Type: NTFS
Drive O: | 78.37 Gb Total Space | 61.28 Gb Free Space | 78.19% Space Free | Partition Type: NTFS
Drive P: | 100.00 Gb Total Space | 64.31 Gb Free Space | 64.31% Space Free | Partition Type: NTFS
Drive S: | 46.58 Gb Total Space | 16.45 Gb Free Space | 35.32% Space Free | Partition Type: NTFS
Drive T: | 58.76 Gb Total Space | 0.37 Gb Free Space | 0.63% Space Free | Partition Type: NTFS
Drive U: | 100.00 Gb Total Space | 64.31 Gb Free Space | 64.31% Space Free | Partition Type: NTFS
Drive V: | 136.41 Gb Total Space | 44.65 Gb Free Space | 32.73% Space Free | Partition Type: NTFS
Drive Z: | 100.00 Gb Total Space | 64.31 Gb Free Space | 64.31% Space Free | Partition Type: NTFS

Computer Name: BURT | User Name: aburt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/13 11:35:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Program Files\OTL\OTL.exe
PRC - [2010/09/23 22:03:04 | 001,332,560 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
PRC - [2010/09/23 21:55:30 | 002,763,080 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
PRC - [2010/09/23 21:55:18 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
PRC - [2008/06/26 10:00:09 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/19 10:24:08 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/03/13 15:03:34 | 000,225,280 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\ModbusDrv.exe
PRC - [2007/05/11 01:59:23 | 000,349,808 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
PRC - [2006/08/01 14:35:36 | 000,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2006/02/20 09:02:26 | 000,139,264 | ---- | M] (Cyberlogic Software, Inc.) -- C:\Program Files\Common Files\Cyberlogic Shared\gMbxRpcS.exe
PRC - [2005/09/13 15:22:52 | 000,049,152 | ---- | M] (Schneider Automation SAS) -- C:\WINDOWS\system32\NA_Service.exe
PRC - [2005/03/30 10:00:00 | 000,053,248 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\UsbConsole.exe
PRC - [2004/10/20 14:37:31 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2004/06/09 13:16:08 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe
PRC - [2004/03/26 22:10:14 | 000,061,440 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\UsbConnect.exe


========== Modules (SafeList) ==========

MOD - [2010/12/13 11:35:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Program Files\OTL\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/03/11 15:39:58 | 000,110,592 | ---- | M] (Nektra S.A.) -- C:\Program Files\Sunbelt Software\SBEAgent\oehook.dll
MOD - [2008/04/13 19:12:02 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2008/04/13 19:12:02 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
MOD - [2008/04/13 19:12:02 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2008/04/13 19:12:01 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll
MOD - [2008/04/13 19:11:52 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2008/04/13 19:11:51 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll
MOD - [2003/07/16 11:20:10 | 000,149,019 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\crtdll.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe -- (OnePointDomainAdminService)
SRV - [2010/09/23 21:55:30 | 002,763,080 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/09/23 21:55:18 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2008/03/19 10:24:08 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/11/06 15:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2006/02/20 09:02:26 | 000,139,264 | ---- | M] (Cyberlogic Software, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Cyberlogic Shared\gMbxRpcS.exe -- (gMBX)
SRV - [2005/10/01 10:26:48 | 000,118,867 | ---- | M] (Schneider Automation SAS) [On_Demand | Stopped] -- C:\Program Files\Schneider Electric\Unity Pro\HealthSystemInfo.exe -- (HealthSystemInfo)
SRV - [2005/09/13 15:22:52 | 000,049,152 | ---- | M] (Schneider Automation SAS) [Auto | Running] -- C:\WINDOWS\system32\NA_Service.exe -- (NA_Service)
SRV - [2004/03/26 22:10:14 | 000,061,440 | ---- | M] (Schneider Automation) [Auto | Running] -- C:\WINDOWS\system32\UsbConnect.exe -- (UsbConnect)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\DuntlwNT.sys -- (Duntlw)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\Bulk503.sys -- (Bulk503)
DRV - [2010/07/27 03:48:30 | 000,212,568 | ---- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (SbTis)
DRV - [2010/06/14 13:54:30 | 000,069,976 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2010/06/14 13:54:30 | 000,021,464 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2010/05/13 06:56:22 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/01/14 04:59:52 | 000,067,800 | ---- | M] (Sunbelt Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SbFwIm.sys -- (SBFWIMCL)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/02/28 12:23:10 | 000,002,304 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\Machnm32.sys -- (Machnm32)
DRV - [2007/11/06 15:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/05/29 16:02:07 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2005/04/06 14:49:56 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2005/03/29 15:57:06 | 000,052,576 | ---- | M] (Schneider Automation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PlcUsb.sys -- (plcusb)
DRV - [2004/11/05 09:47:38 | 000,082,289 | ---- | M] (Cyberlogic Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CLMbxPnP.sys -- (ClmbxPnP) Cyberlogic MBX Driver (PnP)
DRV - [2004/10/20 14:37:31 | 000,151,066 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/10/20 14:37:31 | 000,030,694 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/10/20 14:37:31 | 000,025,962 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2004/10/20 14:35:46 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/12/17 11:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 11:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 11:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?gl=us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 172.16.0.22:8080



O1 HOSTS File: ([2010/06/24 13:47:31 | 000,000,772 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 analytics.google.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [CYDISM] C:\Program Files\Common Files\Cyberlogic Shared\Activation\Cyberlogic MBX\CyDisM.exe File not found
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe File not found
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 33554432
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....738&clcid=0x409 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.micr...04/clearadj.cab (CTAdjust Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.30.0.17 172.30.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transdyn.com
O20 - AppInit_DLLs: (syncrgwiz.dll) - C:\WINDOWS\System32\syncrgwiz.dll ()
O20 - AppInit_DLLs: (perfcache20.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/20 10:25:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/20 09:07:20 | 000,000,000 | ---D | M] - S:\Autocad -- [ NTFS ]
O32 - AutoRun File - [2008/07/21 13:45:37 | 000,000,000 | ---D | M] - S:\AutoCad Viewers -- [ NTFS ]
O32 - AutoRun File - [2010/05/24 14:54:51 | 000,000,000 | ---D | M] - V:\Autodirect Cabinets -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/13 11:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\OTL
[2010/12/10 15:02:59 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2010/12/10 15:02:58 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2010/12/10 15:02:58 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2010/12/10 15:02:57 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2010/11/16 17:17:29 | 000,000,000 | ---D | C] -- C:\Program Files\Oakdoc
[1996/11/12 21:25:44 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\implode.dll

========== Files - Modified Within 30 Days ==========

[2010/12/13 12:03:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/13 12:03:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/13 08:42:58 | 000,000,295 | ---- | M] () -- C:\WINDOWS\ina32.ini
[2010/12/13 08:39:43 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile
[2010/12/13 08:39:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/10 15:06:08 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\Spybot - Search & Destroy.lnk
[2010/12/10 14:40:11 | 000,477,184 | -HS- | M] () -- C:\WINDOWS\System32\syncrgwiz.dll
[2010/12/09 11:39:52 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2010/12/06 17:38:44 | 000,000,264 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\SCC Vote.url
[2010/12/02 16:29:56 | 000,002,499 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk
[2010/11/30 13:38:52 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/11/29 08:29:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/22 11:34:40 | 000,000,061 | ---- | M] () -- C:\WINDOWS\System32\RPCS.ini
[2010/11/18 09:51:03 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\MARTA RTU Replacement - Airport, Arts Ctr, Ashby, Candler Park.lnk
[2010/11/17 16:08:44 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\NYCT Upcoming Tasks.doc
[2010/11/15 16:48:12 | 000,000,626 | ---- | M] () -- C:\WINDOWS\ModScan32.INI

========== Files Created - No Company Name ==========

[2010/12/10 15:06:08 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\Spybot - Search & Destroy.lnk
[2010/12/10 14:40:11 | 000,477,184 | -HS- | C] () -- C:\WINDOWS\System32\syncrgwiz.dll
[2010/12/02 08:57:58 | 000,000,264 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\SCC Vote.url
[2010/11/18 09:51:03 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Desktop\MARTA RTU Replacement - Airport, Arts Ctr, Ashby, Candler Park.lnk
[2010/07/23 13:04:54 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2010/07/23 13:04:49 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2010/02/01 11:13:41 | 000,000,626 | ---- | C] () -- C:\WINDOWS\ModScan32.INI
[2009/02/26 15:55:33 | 000,000,079 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/11/19 14:28:25 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameF.txt
[2008/11/06 11:45:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2008/11/04 11:46:49 | 000,000,915 | ---- | C] () -- C:\WINDOWS\IAB.ini
[2008/11/04 11:44:58 | 000,000,054 | ---- | C] () -- C:\WINDOWS\fw.ini
[2007/11/06 15:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/09/11 16:01:11 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/16 08:59:03 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\snmpV3pp.dll
[2007/05/16 08:01:56 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\Machnm64.sys
[2007/05/16 08:01:56 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\Machnm32.sys
[2007/02/22 10:20:41 | 000,000,102 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/05/31 14:03:35 | 000,000,032 | ---- | C] () -- C:\WINDOWS\EvMoveW.INI
[2006/05/19 12:27:14 | 000,024,575 | ---- | C] () -- C:\WINDOWS\System32\Setwinsyspios.dll
[2006/04/17 07:58:11 | 000,000,185 | ---- | C] () -- C:\WINDOWS\DrawerState.ini
[2006/04/04 13:59:19 | 000,000,308 | ---- | C] () -- C:\WINDOWS\System32\MODBUS01.ini
[2006/04/04 13:15:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\usbcnx2.dll
[2006/04/04 13:14:06 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2006/04/04 13:14:05 | 000,013,888 | ---- | C] () -- C:\WINDOWS\WDTGR.DLL
[2006/04/04 13:14:05 | 000,008,096 | ---- | C] () -- C:\WINDOWS\WCDTGR.DLL
[2006/04/04 13:14:05 | 000,006,656 | ---- | C] () -- C:\WINDOWS\WNETWAY.DLL
[2006/04/04 13:14:05 | 000,004,064 | ---- | C] () -- C:\WINDOWS\WNETWT16.DLL
[2006/03/16 15:53:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Local Settings\Application Data\fusioncache.dat
[2005/11/28 14:07:35 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\swfDShare.dll
[2005/09/17 06:34:42 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\Al21fw.dll
[2005/08/10 10:31:53 | 000,005,244 | ---- | C] () -- C:\WINDOWS\Concept.ini
[2005/08/10 10:31:53 | 000,000,380 | ---- | C] () -- C:\WINDOWS\Modicon.ini
[2005/08/01 07:43:22 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\CybPass.dll
[2005/06/10 08:29:59 | 000,004,746 | ---- | C] () -- C:\WINDOWS\SWDEPEND.INI
[2005/05/23 07:42:09 | 000,000,428 | ---- | C] () -- C:\WINDOWS\csform.ini
[2005/04/20 15:31:24 | 000,000,781 | ---- | C] () -- C:\WINDOWS\SWWATER.INI
[2005/04/11 07:34:56 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/02/11 17:22:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\Winchat.ini
[2005/01/11 13:47:56 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Sskdmns.dll.XXX
[2004/11/09 09:21:45 | 000,000,176 | ---- | C] () -- C:\WINDOWS\ECAD.INI
[2004/11/08 10:26:07 | 000,000,425 | ---- | C] () -- C:\WINDOWS\infoview.ini
[2004/11/08 10:26:03 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WINHELP.INI
[2004/11/03 12:49:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2004/10/22 09:24:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/10/22 08:47:26 | 000,000,295 | ---- | C] () -- C:\WINDOWS\ina32.ini
[2004/10/21 15:04:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/21 13:22:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/21 13:20:52 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2004/10/20 10:48:39 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2004/10/20 05:46:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/05/29 14:37:40 | 000,016,104 | ---- | C] () -- C:\WINDOWS\System32\WOWGLUEM.DLL
[1997/01/12 01:15:18 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\dtctrace.dll

========== LOP Check ==========

[2004/11/04 16:15:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Aim
[2005/02/08 15:02:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\AirLink
[2005/11/28 14:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Eltima Software
[2010/07/23 13:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\FreeBurner
[2006/11/20 10:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\HotSync
[2006/11/20 10:50:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Leadertech
[2008/03/27 07:45:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Panasonic
[2008/11/04 13:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Rockwell Automation
[2008/03/18 14:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\TextPad
[2008/05/23 10:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Vijeo-Runtime
[2009/01/21 11:20:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\aburt.TRANSDYN\Application Data\Wireshark
[2007/04/18 09:42:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery
[2006/11/20 10:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2006/11/10 11:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/12/14 17:01:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)

========== Purity Check ==========



< End of report >

Attached Files


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there, is the proxy set on IE one that you did ? IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 172.16.0.22:8080

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O20 - AppInit_DLLs: (syncrgwiz.dll) - C:\WINDOWS\System32\syncrgwiz.dll ()
    [2010/12/13 08:39:43 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile
    [2010/12/10 14:40:11 | 000,477,184 | -HS- | M] () -- C:\WINDOWS\System32\syncrgwiz.dll

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

AND FINALLY

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP