Link takes me to go.google

When the user tries to click on a google link or an msn link it takes them to a different website than the requested page.  The link initially says go.google.com.  I ran adware, mcafee antivirus, wearout fix, hijack this doesnt show anything.  We have done everything and cannot figure out whats going on.  Any help is greatly appreciated.
mowitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

snowalpsCommented:
try to scan with spybot and smitfraud. let me know if it gives any results.
0
war1Commented:
Hello mowit,

Sounds like you have a Wareout infection.  Use FixWareout to repair
http://downloads.subratam.org/Fixwareout.exe

Hope this helps!
war1
0
David-HowardCommented:
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

mowitAuthor Commented:
Malwarebytes stop responding. I can no longer open the program. Fixwareout did nothing.
0
war1Commented:
Did you use FixWareout to remove the infection?
0
mowitAuthor Commented:
War1, we ran fixwareout and it did not fix anything.
0
snowalpsCommented:
did you try my suggestion?
0
mowitAuthor Commented:
Yes I ran smitfaud. after some investigation using tcpview I can see a connection from the scvhost process to some static.reverse.ltdomains. I can't figure out what program or service is hosting this.
0
mowitAuthor Commented:
unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
c:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Stampede\TurboGold\Tgclui32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Spyware Tools\Monitor tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mowbackup01/ssws/faces/welcome.jsp?comId=3&configId=13
O1 - Hosts: 63.111.194.182 vpn1.mymow.com
O1 - Hosts: 63.111.194.15 vpn2.mymow.com
O1 - Hosts: 217.206.147.130 vpn3.mymow.com
O1 - Hosts: 63.111.194.11 vpn4.mymow.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NAL] naldesk
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboGold Notes Client.lnk = C:\Program Files\Stampede\TurboGold\Tgclui32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AgentService - Connected Corporation - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - c:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: (no name) - (no file)
0
David-HowardCommented:
From your log file.
O1 - Hosts: 63.111.194.182 vpn1.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.15 vpn2.mymow.com  
 Must be fixed!  
 O1 - Hosts: 217.206.147.130 vpn3.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.11 vpn4.mymow.com  
 Must be fixed!  
O24 - Desktop Component 0: (no name) - (no file)
You can paste your log file at www.hijackthis.de to view what I am talking about.
The items with red X's need to be removed.
David
0
phototropicCommented:
You might want to try a default hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

Download hosts.zip; unzip and run the mvps batch file.

0
mowitAuthor Commented:
Those entries are valid. I checked the host file already.
0
rpggamergirlCommented:

Also look for these folders/files and delete them if present:
C:\WINDOWS\Hosts
C:\WINDOWS\winlog
C:\WINDOWS\O.REG
C:\WINDOWS\O2.REG
C:\WINDOWS\O.VBS


if problem persist,  run combofix.
Download and run ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mowitAuthor Commented:
The funny thing is. I can't run any Antivirus/Antispayware software. Somethings blocking it.
0
mowitAuthor Commented:
Even in safemode
0
rpggamergirlCommented:
rename them first.

If those still won't run, re-download them and rename them before saving to your desktop. Bagle, TDSServ rootkit might be present there as well.
0
mowitAuthor Commented:
RPGgamergirl can we chat via instant messenger ? my email ***email removed by rpggamergirl, Zone Advisor***
0
mowitAuthor Commented:
Wow renaming worked.
0
mowitAuthor Commented:
ComboFix 08-11-12.01 - KCampbell 2008-11-14 19:08:26.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1611 [GMT -5:00]
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\TDSSrbxu.sys
c:\windows\system32\TDSShrtn.dll
c:\windows\system32\TDSShthc.dll
c:\windows\system32\TDSSjvme.dll
c:\windows\system32\TDSSkbfp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSpscp.dll
c:\windows\system32\TDSSsrgt.dll
c:\windows\system32\TDSStkxd.dat
c:\windows\system32\TDSSwxeq.log
c:\windows\system32\TDSSyhvf.log
D:\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://mowupdates.mymow.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


(((((((((((((((((((((((((   Files Created from 2008-10-15 to 2008-11-15  )))))))))))))))))))))))))))))))
.

2008-11-14 19:15 . 2008-11-14 19:15      53,248      --a------      c:\temp\catchme.dll
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\WPDNSE
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\e4j2.tmp_dir24405
2008-11-14 19:14 . 2008-11-14 19:14      16,384      --a----t-      c:\temp\Perflib_Perfdata_630.dat
2008-11-14 18:20 . 2008-11-14 18:20      <DIR>      d--------      c:\program files\Windows Defender
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\program files\Spybot - Search & Destroy
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 16:57 . 2008-11-14 16:57      54,156      --ah-----      c:\windows\QTFont.qfn
2008-11-14 16:57 . 2008-11-14 16:57      1,409      --a------      c:\windows\QTFont.for
2008-11-13 13:59 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\nshC.tmp
2008-11-13 13:59 . 2008-11-13 14:00      <DIR>      d--------      c:\program files\WinPcap
2008-11-13 12:06 . 2008-11-13 12:06      211,893      --a------      c:\windows\system32\drivers\IsDrv122.sys
2008-11-13 11:50 . 2008-11-13 11:50      <DIR>      d--------      c:\program files\RealVNC
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\program files\BillP Studios
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\WinPatrol
2008-11-13 11:30 . 2008-11-13 11:30      <DIR>      d--------      c:\program files\Stampede
2008-11-13 11:29 . 2008-11-13 11:29      <DIR>      d--------      c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-11-13 11:13 . 2008-11-14 17:54      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-13 10:45 . 2008-11-13 10:45      <DIR>      d--------      c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2008-11-13 10:44 . 2008-11-13 10:44      <DIR>      d--------      c:\program files\Trend Micro
2008-11-12 18:35 . 2008-11-14 18:59      <DIR>      d--------      C:\fixwareout
2008-11-12 18:28 . 2008-11-12 18:28      <DIR>      d--------      c:\program files\Common Files\McAfee
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\Malwarebytes
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 11:17 . 2008-10-28 11:17      <DIR>      d--------      c:\program files\VideoLAN
2008-10-23 13:34 . 2008-10-23 13:34      <DIR>      d--------      c:\windows\system32\GroupPolicy.WksCache

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 22:55      ---------      d-----w      c:\program files\Common Files\AOL
2008-11-14 22:55      ---------      d-----w      c:\documents and settings\All Users\Application Data\AOL
2008-11-13 17:08      ---------      d-----w      c:\program files\Google
2008-11-13 17:01      ---------      d-----w      c:\program files\Common Files\Adobe
2008-11-13 15:42      ---------      d-----w      c:\program files\Java
2008-11-12 23:56      ---------      d-----w      c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 23:29      ---------      d-----w      c:\documents and settings\All Users\Application Data\McAfee
2008-11-06 14:33      ---------      d-----w      c:\program files\SafeBoot
2008-10-12 17:12      ---------      d-----w      c:\documents and settings\KCampbell\Application Data\Juniper Networks
2008-09-18 21:14      ---------      d-----w      c:\documents and settings\NetworkService\Application Data\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\program files\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\documents and settings\LocalService\Application Data\Juniper Networks
2008-09-15 11:57      1,846,016      ----a-w      c:\windows\system32\win32k.sys
2008-08-20 05:38      659,456      ------w      c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAL"="naldesk" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-15 29744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"imekrmig"="c:\program files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe" [2001-01-09 44544]
"imjpmig"="c:\program files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2001-02-20 192592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-08 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-08 151552]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2007-04-06 179712]
"SBMGRNT.EXE"="c:\progra~1\SafeBoot\SBMGRNT.EXE" [2007-08-21 49212]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"TrackPointSrv"="tp4serv.exe" [2005-07-12 c:\windows\system32\tp4serv.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TurboGold Notes Client.lnk - c:\program files\Stampede\TurboGold\Tgclui32.exe [2006-07-15 3196504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 08:17 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MOWRSSReader\\mowrssReader.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\WinZip\\WZSEPE32.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmlaunch.exe"=
"c:\\Program Files\\MathType\\MathType.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalAgent.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALDESK.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalDiag.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALNTSRV.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalView.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalWin.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALWIN32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NTSClient.exe"=
"c:\\Program Files\\Novell\\ZENworks\\WM.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMRUNDLL.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMSCHED.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\ZenTSApp.exe"=
"c:\\Program Files\\Novell\\ZENworks\\zwsreg.exe"=
"c:\\WINDOWS\\NOTEPAD.EXE"=
"c:\\WINDOWS\\system32\\nwtray.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaws.exe"=
"c:\\WINDOWS\\system32\\loginw32.exe"=
"c:\\WINDOWS\\system32\\ipconfig.exe"=
"c:\\WINDOWS\\system32\\iprntcfg.exe"=
"c:\\WINDOWS\\system32\\iprntcmd.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\Agent.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\AgentService.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpnclient.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\lotus\\notes\\notes.exe"=
"c:\\lotus\\notes\\ntaskldr.exe"=
"c:\\lotus\\notes\\nlnotes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\vpnstats.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\telnet.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\lotus\\notes\\AvTrapConnectionHolderSvr.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot
"21:TCP"= 21:TCP:FTP_PT
"23:TCP"= 23:TCP:Telnet_PT
"443:TCP"= 443:TCP:SSL_PT
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC_PT
"8443:TCP"= 8443:TCP:SSL2_PT
"1761:TCP"= 1761:TCP:ZENRD32_PT
"1762:TCP"= 1762:TCP:ZENRD_PT
"135:TCP"= 135:TCP:DUCS_PT

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-21 30267]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SBAlg.sys [2007-08-21 44848]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\Drivers\NEOFLTR_600_12507.SYS [2007-12-27 64160]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-10-18 34671]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [2007-02-05 31232]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-08-21 4752]
R1 SBFlop;SBFlop;c:\windows\system32\drivers\SBFlop.sys [2007-08-21 6096]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-08-21 14864]
R2 AgentService;AgentService;c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe [2007-04-06 5160960]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2007-04-06 36480]
R2 NICICCS;NICICCS;c:\windows\system32\drivers\NICICCS.sys [2003-08-22 456080]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;c:\program files\SafeBoot\SBMGRNT.EXE [2007-08-21 49212]
R2 XTAgent;Novell XTier Agent Services;c:\windows\System32\Novell\XTAgent.exe [2006-05-02 61440]
R3 BM;Novell Virtual Private Network Miniport;c:\windows\system32\DRIVERS\vptunnel.sys [2005-08-25 216364]
R3 Darpan;Darpan;c:\windows\system32\DRIVERS\Darpan.sys [2005-05-23 2773]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2005-07-12 13840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-15 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04b458b-e92c-11dc-a733-001b77066b52}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\KCampbell\Application Data\Mozilla\Firefox\Profiles\o6fbbwa9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.mymow.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\xmlparse.dll

PROCESS: c:\windows\Explorer.exe
-> c:\windows\system32\NWSHLXNT.dll
-> c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
-> c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\lotus\notes\nslsvice.exe
c:\lotus\notes\nsl.exe
c:\windows\system32\ibmpmsvc.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-11-14 19:17:57 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-15 00:17:51

Pre-Run: 39,947,325,440 bytes free
Post-Run: 39,880,818,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

301      --- E O F ---      2008-11-03 17:03:25
0
mowitAuthor Commented:
Oh my god it worked thank you
0
rpggamergirlCommented:

I'm sorry I was offline and just got back.
Glad to know it's resolved.
D:\explorers.exe <-- if you didn't purposely create or if you don't know this file then run the script to remove the reg entry.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
D:\explorers.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 

Thanks for the points and the grade!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.