Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Undetectable DNS Hijack [Closed]


  • This topic is locked This topic is locked

#1
Dixter

Dixter

    Member

  • Member
  • PipPip
  • 11 posts
Greetings malware experts!

I have a pretty tough one that I have been unable to crack and Iím hoping the experts here at GeeksToGo can help me out.

I first became aware of the situation back in June when a user notified me that her Google and Bing searches were being redirected. At that time she had been having the problem for ďa while nowĒ. I have gone through various troubleshooting steps and scans over the past several months with no success. Most of her web browsing is done using favorites so it hasnít been a big issue for her to not have internet search capability, but it still needs to be resolved (especially for my own sanity). Other popular search engines are also not working, but I have mostly just used Bing and Google for troubleshooting.

Below is a list of steps and symptoms I have used so far to troubleshoot.

  • Computer OS is Windows XP Pro SP3 and is using Vipre Business Antivirus
  • Pinging www.google.com and www.bing.com resolves to 87.125.87.99 (early in the troubleshooting process it seems like that IP may have changed, but it has been the same for the past couple of months)
  • I have deleted and recreated a fresh hosts file
  • I have verified the registry is pointing to the correct hosts file location
  • The network adapter is properly configured to use DHCP and ipconfig /all is showing the appropriate DNS servers.
  • I have flushed the local DNS cache with ipconfig /flushdns
  • NSLookup to Bing or Google fails to resolve (although resolves just fine from other workstations using the local DNS server)
  • No proxies are being used under LAN Settings of the Internet Properties
  • All temp and temporary internet files have been removed
  • Didnít recognize any strange files in the Application Data or Local Settings folders or subfolders
  • I have run multiple scans with the installed Vipre AV, also Malwarebytes, TDSSKiller and ComboFix. All of which have come back CLEAN. I have also tried a few others here and there, but these four have been run multiple times. (Just for thoroughness, I have run both TDSSKiller and ComboFix after changing the executable name. Youíll notice this with JimBoFix.exe in the OTL log below.)
  • It is also worth mentioning that the computer has been infected with a couple small viruses here and there since the DNS hijacking. But nothing a quick process kill, file cleanup and quick Malwarebytes scan couldnít take care of. Subsequent scans yield nothing, yet the Google and Bing redirects still exist.

I am at my wits end with this one and am really hoping you guys may have some suggestions for me. Thanks in advance guys, Iím counting on you!

(And yes, in case you were wondering, I have changed the computer and domain names in the OTL log for privacy.)

OTL logfile created on: 11/28/2012 10:50:27 PM - Run 2
OTL by OldTimer - Version 3.2.61.5 Folder = C:\PCT
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.50 Gb Total Physical Memory | 2.53 Gb Available Physical Memory | 72.23% Memory free
5.34 Gb Paging File | 4.61 Gb Available in Paging File | 86.49% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.43 Gb Total Space | 47.92 Gb Free Space | 64.39% Space Free | Partition Type: NTFS
Drive O: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS
Drive Q: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS
Drive R: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS

Computer Name: ComputerName | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\PCT\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe (GFI Software)
PRC - C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe (GFI Software)
PRC - C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe (GFI Software)
PRC - C:\Program Files\SAAZOD\zRealTime\rtHlpDk.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\rtdrHlpDk.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\SAAZDPMACTL.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - C:\Program Files\SAAZOD\SAAZServerPlus.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
PRC - C:\WINDOWS\system32\PGPserv.exe (PGP Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe (PFU LIMITED)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe (SonicWALL Inc.)
PRC - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe (SonicWALL Inc.)
PRC - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\GFI Software\GFIAgent\Definitions\libMachoUniv.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\Definitions\libBase64.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\9080c8e8e7b6dfb502c1328673d636f8\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\vipre.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsConfig.dll ()
MOD - C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardPath.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsExtention.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuUpdater.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\P2IATRES.DLL ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Dell\QuickSet\dadkeyb.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\SSsltsa.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\unrar.dll ()
MOD - C:\Program Files\Dell\QuickSet\preflibcl.dll ()
MOD - C:\WINDOWS\SSDriver\fi5110\fjiplA6.dll ()
MOD - C:\WINDOWS\SSDriver\fi5110\fjipl.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsImgIO.dll ()


========== Services (SafeList) ==========

SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (SBAMSvc) -- C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe (GFI Software)
SRV - (SBPIMSvc) -- C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe (GFI Software)
SRV - (SAAZapsc) -- C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe (Zenith Infotech Ltd)
SRV - (SAAZappr) -- C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe (Zenith Infotech Ltd)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (SAAZWatchDog) -- C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd)
SRV - (SAAZDPMACTL) -- C:\Program Files\SAAZOD\SAAZDPMACTL.exe (Zenith Infotech Ltd)
SRV - (SAAZRemoteSupport) -- C:\Program Files\SAAZOD\SAAZRemoteSupport.exe (Zenith Infotech Ltd)
SRV - (SAAZScheduler) -- C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (SAAZServerPlus) -- C:\Program Files\SAAZOD\SAAZServerPlus.exe (Zenith Infotech Ltd)
SRV - (PGPserv) -- C:\WINDOWS\system32\PGPserv.exe (PGP Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (NGCLIENT) -- C:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec Corporation)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (tcsd_win32.exe) -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe ()
SRV - (SONICWALL_NetExtender) -- C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe (SonicWALL Inc.)
SRV - (WaveEnrollmentService) -- C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe (Wave Systems Corp.)
SRV - (TdmService) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
SRV - (SecureStorageService) -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (QuickBooksDB18) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\JimBobFix3\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\catchme.sys File not found
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (SbTis) -- C:\WINDOWS\system32\drivers\sbtis.sys (Sunbelt Software, Inc.)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (GFI Software)
DRV - (sbapifs) -- C:\WINDOWS\system32\drivers\sbapifs.sys (GFI Software)
DRV - (sbaphd) -- C:\WINDOWS\system32\drivers\sbaphd.sys (GFI Software)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (PGPsdkDriver) -- C:\WINDOWS\system32\drivers\PGPsdk.sys (PGP Corporation)
DRV - (PGPdisk) -- C:\WINDOWS\System32\drivers\PGPdisk.sys (PGP Corporation)
DRV - (PGPwded) -- C:\WINDOWS\System32\drivers\PGPwded.sys (PGP Corporation)
DRV - (pgpfs) -- C:\WINDOWS\system32\drivers\PGPfsfd.sys (PGP Corporation)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (ACPI) -- C:\WINDOWS\system32\drivers\acpi.sys ()
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (SSLDrv) -- C:\WINDOWS\system32\drivers\SSLDrv.sys (SonicWALL Inc.)
DRV - (WavxDMgr) -- C:\WINDOWS\system32\drivers\WavxDMgr.sys (Wave Systems Corp.)
DRV - (PBADRV) -- C:\WINDOWS\system32\drivers\PBADRV.sys (Dell Inc)
DRV - (WaveFDE) -- C:\WINDOWS\system32\drivers\WaveFDE.sys (Windows ® Codename Longhorn DDK provider)
DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKLM\..\SearchScopes,DefaultScope = {C9D3A52F-DA0F-497C-BFD1-3886C86FF426}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKCU\..\SearchScopes,DefaultScope = {94F63E4A-09D5-43FB-8091-3E234762C3B5}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{94F63E4A-09D5-43FB-8091-3E234762C3B5}: "URL" = http://www.google.co...1I7ADFA_enUS488
IE - HKCU\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)



O1 HOSTS File: ([2012/11/28 22:18:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe (GFI Software)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe (SonicWALL Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk = C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk = C:\Program Files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)
O15 - HKLM\..Trusted Domains: itsupport247.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: itsupport247.net ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: itsupport247.net ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: itsupport247.net ([]https in Trusted sites)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://vpn.domainname.com/XTSAC.cab (XTSAC Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1231531925767 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1231531921635 (MUWebControl Class)
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} https://vpn.domainname.com/NELX.cab (NELaunchCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} https://securemail.a.../TWDownload.cab (TWDownloader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: CabCCT https://ondemand.app...Ctrl_Apptix.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.80.40.15 4.2.2.1 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainname.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9}: DhcpNameServer = 10.80.40.15 4.2.2.1 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9}: NameServer = 10.80.40.15,8.8.8.8
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\PGPmapih.dll) - C:\WINDOWS\system32\PGPmapih.dll (PGP Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\gemsafe: DllName - (C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll) - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/28 10:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/11/28 10:08:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\administrator.DOMAINNAME\IECompatCache
[2012/11/28 09:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\WinRAR
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/28 22:33:40 | 000,116,711 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2012/11/28 22:33:39 | 000,116,711 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2012/11/28 22:29:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/28 22:18:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/11/28 22:06:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/11/28 21:53:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/28 21:53:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/28 14:31:41 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/11/28 10:54:26 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2012/11/28 10:48:48 | 000,514,378 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/28 10:48:48 | 000,098,722 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/28 10:44:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/28 10:43:58 | 3756,130,304 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/28 10:41:34 | 000,001,190 | ---- | M] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2012/11/28 10:39:52 | 000,006,506 | ---- | M] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\eb8f76cd-01ba-4175-8f97-43ad2979a762.crx
[2012/11/28 10:02:53 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B1EC0DE8-14E5-4B5D-AC05-C1B032978B7E}.job
[2012/11/08 08:08:04 | 000,083,912 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2012/11/08 08:08:03 | 000,092,072 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2012/11/08 08:08:03 | 000,031,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2012/11/05 14:49:37 | 000,004,672 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/28 10:41:34 | 000,001,190 | ---- | C] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2012/11/28 09:58:41 | 3756,130,304 | -HS- | C] () -- C:\hiberfil.sys
[2012/11/28 08:51:08 | 000,006,506 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\eb8f76cd-01ba-4175-8f97-43ad2979a762.crx
[2012/06/18 15:28:57 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/18 15:28:57 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/18 15:28:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/18 15:28:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/18 15:28:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/19 07:18:47 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/19 13:47:42 | 000,000,037 | ---- | C] () -- C:\WINDOWS\WEBICA.INI
[2010/12/01 10:35:06 | 000,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2010/11/30 10:36:05 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/11/12 11:55:07 | 000,002,161 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\Practice Management.G
[2008/11/12 11:55:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\Practice Management.G.L
[2008/11/12 11:46:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\WavXMapDrive.bat
[2008/11/12 11:45:41 | 000,004,672 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2008/11/12 14:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Fujitsu
[2012/08/17 15:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\GFI Software
[2008/11/12 13:03:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Leadertech
[2008/11/12 13:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\PFU
[2009/02/13 12:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\PGP Corporation
[2010/11/22 16:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\ProSystem fx Practice Management
[2008/10/28 00:08:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Wave Systems Corp
[2012/08/17 15:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Windows Desktop Search
[2011/11/08 16:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/12/01 10:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2012/04/03 14:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2010/12/01 14:27:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2012/11/28 08:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2008/10/28 00:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2009/02/13 12:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PGP Corporation
[2008/11/12 11:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ProSystem fx
[2012/01/24 10:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Raize
[2010/11/18 16:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VSoft
[2008/10/28 00:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2010/03/12 14:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2012/11/28 10:02:53 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B1EC0DE8-14E5-4B5D-AC05-C1B032978B7E}.job

========== Purity Check ==========

< End of report >
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#3
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#4
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo, thanks for your initial quick response. Unfortunately I was with without internet access over the weekend so I apologize for not getting back to you any sooner.

I should be able to run the utilities you have recommended tomorrow (Monday) afternoon. Iíll post the results just as soon as I have them. I do have a couple questions regarding the utilities however:
  • I only have remote access to the infected computer. Will I run into any problems running these tools during a remote session (RDP or LogMeIn)?
  • Will I have an opportunity to review the scan results before the utility removes any suspect files? The infected computer has Remote Monitoring and Management applications installed as well as LogMeIn. I would like to make sure the recommended tools will not accidently remove files that are necessary for these other applications to run.
Thanks again for lending your expertise Gringo! Your help and knowledge are greatly appreciated.
  • 0

#5
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
--RogueKiller-- only run the scan

adware cleaner does not have a scan only but have not heard of it removing anything that might be neeed


and I have not tried to run these remotely
  • 0

#6
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo,

Sorry for the delay. Second day in a row where someone else shut the computer down before I had a chance to log in and run the scans after hours. I'm going to try again tomorrow and I'll get back to you with the scan results. Thanks for your patience.
  • 0

#7
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
no problem I will check on you later


gringo
  • 0

#8
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo,
So here is what I have for you so far. I was able to run Security Check and the RogueKiller scan. I ran AdwCleaner, but I will not have that log for you until tomorrow. The computer is using drive encryption and requires a password at boot time before loading the OS. So I should be able to pull that log tomorrow morning after someone physically there can get it booted back up for me.

Thanks again for your help Gringo!

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 37
Java™ 6 Update 7
Java version out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


RogueKiller V8.3.1 [Dec 5 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 12/05/2012 18:02:24

§§§ Bad processes : 1 §§§
[][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : nvHotkey.dll -> KILLED [TermProc]

§§§ Registry Entries : 8 §§§
[RUN][NOTFOUND] HKLM\[...]\Run : NVHotkey (rundll32.exe nvHotkey.dll,Start) -> FOUND
[RUN][NOTFOUND] HKLM\[...]\Run : NvMediaCenter (RunDLL32.exe NvMCTray.dll,NvTaskbarInit) -> FOUND
[RUN][ROGUE ST] HKLM\[...]\Run : QuickBooksDB18 (C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -n QB_PM-8-2008-11_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe C:\DOCUME~1\dhart\LOCALS~1\APPLIC~1\Intuit\QUI) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9} : NameServer (10.80.40.15,8.8.8.8) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9} : NameServer (10.80.40.15,8.8.8.8) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

§§§ Particular Files / Folders: §§§

§§§ Driver : [LOADED] §§§
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] atapi.sys @ 0xB9F11852)

§§§ HOSTS File: §§§
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


§§§ MBR Check: §§§

+++++ PhysicalDrive0: ST980411ASG +++++
--- User ---
[MBR] 14122fde1a4ca42bddbd901934d19da7
[BSP] 0331638eef030c9406bbbd8da67da8ec : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 76214 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12052012_02d1802.txt >>
RKreport[1]_S_12052012_02d1802.txt
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Ok I will be looking for it



gringo
  • 0

#10
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
...and here is the AdwCleaner report. It doesn't look too promising.

Let me know if you find anything or if you would like me to try running anything else. I can also snip some screen shots demonstrating its current behavior if you think that may be of any help.

Thanks again Gringo!


# AdwCleaner v2.011 - Logfile created 12/05/2012 at 18:12:32
# Updated 02/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - PM-8-2008-11
# Boot Mode : Normal
# Running from : C:\PCT\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [636 octets] - [05/12/2012 18:11:18]
AdwCleaner[S1].txt - [568 octets] - [05/12/2012 18:12:32]

########## EOF - C:\AdwCleaner[S1].txt - [627 octets] ##########
  • 0

Advertisements


#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#12
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo,

Here is the latest log for you generated by ComboFix. The problem does still exist, however, Google.com and Bing.com are now both resolving to 92.123.68.97 (even after flushing the local DNS cache and double checking the HOSTS file), which is different than the IP it was using when I started this thread. So it looks like something is still running loose on there...

Thanks Gringo!



ComboFix 12-12-04.01 - Administrator 12/07/2012 17:40:18.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2609 [GMT -5:00]
Running from: c:\pct\JimBobFix4.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-11-28 15:57 . 2012-11-28 15:56 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 15:55 . 2012-11-28 15:55 -------- d-----w- c:\documents and settings\All

Users\Application Data\McAfee
2012-11-28 15:08 . 2012-11-28 15:08 -------- d-sh--w- c:\documents and settings

\administrator.DOMAINNAME\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report

))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-28 15:56 . 2008-10-28 05:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-28 15:56 . 2010-09-02 11:43 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-08 13:08 . 2010-11-18 22:29 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-11-08 13:08 . 2010-11-18 22:29 52648 ----a-w- c:\windows\system32\Spool\prtprocs

\w32x86\LMIproc.dll
2012-11-08 13:08 . 2010-11-18 22:29 31144 ----a-w- c:\windows\system32\LMIport.dll
2012-11-08 13:08 . 2010-11-18 22:29 92072 ----a-w- c:\windows\system32\LMIinit.dll
2012-10-09 14:06 . 2012-06-13 16:08 73656 ----a-w- c:\windows

\system32\FlashPlayerCPLApp.cpl
2012-10-09 14:06 . 2012-06-13 16:08 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-30 00:54 . 2012-06-18 16:58 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-12-10 23:34 311352 ----a-w- c:\windows\system32\PGPfsshl.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8466432]
"nwiz"="nwiz.exe" [2007-08-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-08-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-08-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-10-24 562608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"QuickBooksDB18"="c:\program files\Intuit\QuickBooks 2008\QBDBMgrN.exe" [2006-09-13 128536]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2011-10-12 1627504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe [2008-11-12

77824]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer

\PfuSsOrgOcrChk.exe [2010-12-1 15360]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-28 50688]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[2009-9-16 972064]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2010-12-1 1048576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll"

[2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN

\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-08 13:08 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\PGPmapih.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
Notification Packages REG_MULTI_SZ scecli PGPpwflt
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3680170722-

3275619478-3064864857-1115\Scripts\Logon\0\0]
"Script"=GFIOulook.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3680170722-

3275619478-3064864857-500\Scripts\Logon\0\0]
"Script"=GFIOulook.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGTray]
2008-09-05 20:23 218504 -c--a-w- c:\program files\Symantec\Ghost\ngtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
2007-09-14 15:53 218424 -c--a-w- c:\program files\Wave Systems Corp\SecureUpgrade.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2007-09-10 14:55 92160 -c--a-w- c:\program files\Wave Systems Corp\Services Manager

\DocMgr\bin\WavXDocMgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"c:\\Program Files\\GFI Software\\GFIAgent\\SBAMSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [12/10/2008 6:34 PM 134712]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [11/8/2011 4:50 PM 21496]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/30/2011 5:56 AM 101624]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [11/8/2011 4:50 PM 212568]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [11/18/2010 5:31 PM

374704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM

12856]
R2 MSSQL$PRACTICESOLUTION;SQL Server (PRACTICESOLUTION);c:\program files\Microsoft SQL Server

\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [9/5/2008 3:23 PM

673160]
R2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\SAAZOD\zRealTime\SAAZappr.exe [7/11/2011 10:16 AM

82760]
R2 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\SAAZOD\zRealTime\SAAZapsc.exe [7/11/2011 10:16 AM

82760]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [11/18/2010 4:51 PM 86856]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [11/18/2010 4:39 PM 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [4/30/2009 7:46 PM 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [11/18/2010 4:51 PM 86856]
R2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [10/12/2011 11:28 AM

2804312]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [11/8/2011 4:50 PM 74104]
R2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [10/12/2011 11:28 AM

181616]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/25/2008 11:16 AM 5120]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [10/23/2007 7:09 PM 19376]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:

\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [11/18/2010 4:51 PM

78664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-13 14:06]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-13 16:08]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-13 16:08]
.
2012-12-07 c:\windows\Tasks\User_Feed_Synchronization-{B1EC0DE8-14E5-4B5D-AC05-C1B032978B7E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-

smb&ibd=3081028
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat

\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: domainname.com\vpn
Trusted Zone: itsupport247.net
Trusted Zone: domainname.com\vpn
Trusted Zone: itsupport247.net
TCP: DhcpNameServer = 10.80.40.15 4.2.2.1 4.2.2.2
TCP: Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9}: NameServer = 10.80.40.15,8.8.8.8
DPF: CabCCT - hxxps://ondemand.apptix.net/OCT/codebase/ActCtrl_Apptix.cab
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} -

hxxps://securemail.ascensus.com/messenger/download/TWDownload.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-07 17:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3680170722-3275619478-3064864857-500\Software\Microsoft\Internet Explorer\User

Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,63,f8,b7,11,65,f6,49,b0,af,67,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,63,f8,b7,11,65,f6,49,b0,af,67,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\PGPmapih.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\PGPlsp.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
- - - - - - - > 'winlogon.exe'(4972)
c:\windows\system32\PGPmapih.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'lsass.exe'(1020)
c:\windows\system32\PGPmapih.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\PGPlsp.dll
.
- - - - - - - > 'explorer.exe'(5220)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-12-07 17:46:57
ComboFix-quarantined-files.txt 2012-12-07 22:46
ComboFix2.txt 2012-11-29 03:20
ComboFix3.txt 2012-09-17 01:30
ComboFix4.txt 2012-08-17 20:21
ComboFix5.txt 2012-12-07 22:39
.
Pre-Run: 51,199,725,568 bytes free
Post-Run: 51,231,244,288 bytes free
.
- - End Of File - - DC9C58041B780F7ED98540013537FB4D
  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
  • 0

#14
Dixter

Dixter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo, I have some interesting results here for you. Apparently Yahoo.com seems to be working now. Also discovered that www.bing.com resolves differently than bing.com. I modified your script to add www.bing.com and bing.com to demonstrate these behaviors for you (hope you don't mind but I figured more information would be better than less in this case).

Thanks again for all your help so far Gringo, you've been awesome!

(Please note that I did modify the names of the computer, server and domain name in the resulting log for privacy.)



Windows IP Configuration



Host Name . . . . . . . . . . . . : ComputerName

Primary Dns Suffix . . . . . . . : DomainName.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : DomainName.local

DomainName.local



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : DomainName.local

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-21-70-AF-EC-FC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.80.40.76

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.80.40.1

DHCP Server . . . . . . . . . . . : 10.80.40.15

DNS Servers . . . . . . . . . . . : 10.80.40.15

8.8.8.8

Primary WINS Server . . . . . . . : 10.80.40.15

Lease Obtained. . . . . . . . . . : Friday, December 07, 2012 12:15:22 PM

Lease Expires . . . . . . . . . . : Saturday, December 15, 2012 12:15:22 PM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Dell Wireless 1395 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-23-4D-C5-5C-0B


Server: ServerName.DomainName.local
Address: 10.80.40.15

DNS request timed out.
timeout was 2 seconds.
Server: ServerName.DomainName.local
Address: 10.80.40.15

DNS request timed out.
timeout was 2 seconds.
Server: ServerName.DomainName.local
Address: 10.80.40.15

Name: bing.com
Address: 131.253.13.32

Server: ServerName.DomainName.local
Address: 10.80.40.15

Name: yahoo.com
Addresses: 72.30.38.140, 98.138.253.109, 98.139.183.24



Pinging google.com [92.123.68.97] with 32 bytes of data:



Reply from 92.123.68.97: bytes=32 time=17ms TTL=54

Reply from 92.123.68.97: bytes=32 time=21ms TTL=54



Ping statistics for 92.123.68.97:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 21ms, Average = 19ms



Pinging www.bing.com [92.123.68.97] with 32 bytes of data:



Reply from 92.123.68.97: bytes=32 time=18ms TTL=54

Reply from 92.123.68.97: bytes=32 time=17ms TTL=54



Ping statistics for 92.123.68.97:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 18ms, Average = 17ms



Pinging bing.com [131.253.13.32] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 131.253.13.32:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:



Reply from 98.139.183.24: bytes=32 time=93ms TTL=52

Reply from 98.139.183.24: bytes=32 time=132ms TTL=52



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 93ms, Maximum = 132ms, Average = 112ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 70 af ec fc ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 23 4d c5 5c 0b ...... Dell Wireless 1395 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.80.40.1 10.80.40.76 1
10.80.40.0 255.255.255.0 10.80.40.76 10.80.40.76 10
10.80.40.76 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.80.40.76 10.80.40.76 10
255.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 1
255.255.255.255 255.255.255.255 10.80.40.76 3 1
Default Gateway: 10.80.40.1
===========================================================================
Persistent Routes:
None
  • 0

#15
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


lets set the DNS on the computer to open DNS and then flush the dns once more - https://store.opendn...stem/windows-xp
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP