[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Link takes me to go.google

Posted on 2008-11-13
21
Medium Priority
?
1,256 Views
Last Modified: 2012-05-05
When the user tries to click on a google link or an msn link it takes them to a different website than the requested page.  The link initially says go.google.com.  I ran adware, mcafee antivirus, wearout fix, hijack this doesnt show anything.  We have done everything and cannot figure out whats going on.  Any help is greatly appreciated.
0
Comment
Question by:mowit
  • 11
  • 3
  • 2
  • +3
21 Comments
 
LVL 3

Expert Comment

by:snowalps
ID: 22952285
try to scan with spybot and smitfraud. let me know if it gives any results.
0
 
LVL 97

Expert Comment

by:war1
ID: 22952288
Hello mowit,

Sounds like you have a Wareout infection.  Use FixWareout to repair
http://downloads.subratam.org/Fixwareout.exe

Hope this helps!
war1
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22952645
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:mowit
ID: 22953522
Malwarebytes stop responding. I can no longer open the program. Fixwareout did nothing.
0
 
LVL 97

Expert Comment

by:war1
ID: 22953554
Did you use FixWareout to remove the infection?
0
 

Author Comment

by:mowit
ID: 22953673
War1, we ran fixwareout and it did not fix anything.
0
 
LVL 3

Expert Comment

by:snowalps
ID: 22954023
did you try my suggestion?
0
 

Author Comment

by:mowit
ID: 22954784
Yes I ran smitfaud. after some investigation using tcpview I can see a connection from the scvhost process to some static.reverse.ltdomains. I can't figure out what program or service is hosting this.
0
 

Author Comment

by:mowit
ID: 22954791
unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
c:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Stampede\TurboGold\Tgclui32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Spyware Tools\Monitor tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mowbackup01/ssws/faces/welcome.jsp?comId=3&configId=13
O1 - Hosts: 63.111.194.182 vpn1.mymow.com
O1 - Hosts: 63.111.194.15 vpn2.mymow.com
O1 - Hosts: 217.206.147.130 vpn3.mymow.com
O1 - Hosts: 63.111.194.11 vpn4.mymow.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NAL] naldesk
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboGold Notes Client.lnk = C:\Program Files\Stampede\TurboGold\Tgclui32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AgentService - Connected Corporation - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - c:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: (no name) - (no file)
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22955083
From your log file.
O1 - Hosts: 63.111.194.182 vpn1.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.15 vpn2.mymow.com  
 Must be fixed!  
 O1 - Hosts: 217.206.147.130 vpn3.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.11 vpn4.mymow.com  
 Must be fixed!  
O24 - Desktop Component 0: (no name) - (no file)
You can paste your log file at www.hijackthis.de to view what I am talking about.
The items with red X's need to be removed.
David
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22955377
You might want to try a default hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

Download hosts.zip; unzip and run the mvps batch file.

0
 

Author Comment

by:mowit
ID: 22955746
Those entries are valid. I checked the host file already.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 22955786

Also look for these folders/files and delete them if present:
C:\WINDOWS\Hosts
C:\WINDOWS\winlog
C:\WINDOWS\O.REG
C:\WINDOWS\O2.REG
C:\WINDOWS\O.VBS


if problem persist,  run combofix.
Download and run ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 

Author Comment

by:mowit
ID: 22956051
The funny thing is. I can't run any Antivirus/Antispayware software. Somethings blocking it.
0
 

Author Comment

by:mowit
ID: 22956054
Even in safemode
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22956151
rename them first.

If those still won't run, re-download them and rename them before saving to your desktop. Bagle, TDSServ rootkit might be present there as well.
0
 

Author Comment

by:mowit
ID: 22956257
RPGgamergirl can we chat via instant messenger ? my email ***email removed by rpggamergirl, Zone Advisor***
0
 

Author Comment

by:mowit
ID: 22956265
Wow renaming worked.
0
 

Author Comment

by:mowit
ID: 22956376
ComboFix 08-11-12.01 - KCampbell 2008-11-14 19:08:26.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1611 [GMT -5:00]
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\TDSSrbxu.sys
c:\windows\system32\TDSShrtn.dll
c:\windows\system32\TDSShthc.dll
c:\windows\system32\TDSSjvme.dll
c:\windows\system32\TDSSkbfp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSpscp.dll
c:\windows\system32\TDSSsrgt.dll
c:\windows\system32\TDSStkxd.dat
c:\windows\system32\TDSSwxeq.log
c:\windows\system32\TDSSyhvf.log
D:\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://mowupdates.mymow.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


(((((((((((((((((((((((((   Files Created from 2008-10-15 to 2008-11-15  )))))))))))))))))))))))))))))))
.

2008-11-14 19:15 . 2008-11-14 19:15      53,248      --a------      c:\temp\catchme.dll
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\WPDNSE
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\e4j2.tmp_dir24405
2008-11-14 19:14 . 2008-11-14 19:14      16,384      --a----t-      c:\temp\Perflib_Perfdata_630.dat
2008-11-14 18:20 . 2008-11-14 18:20      <DIR>      d--------      c:\program files\Windows Defender
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\program files\Spybot - Search & Destroy
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 16:57 . 2008-11-14 16:57      54,156      --ah-----      c:\windows\QTFont.qfn
2008-11-14 16:57 . 2008-11-14 16:57      1,409      --a------      c:\windows\QTFont.for
2008-11-13 13:59 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\nshC.tmp
2008-11-13 13:59 . 2008-11-13 14:00      <DIR>      d--------      c:\program files\WinPcap
2008-11-13 12:06 . 2008-11-13 12:06      211,893      --a------      c:\windows\system32\drivers\IsDrv122.sys
2008-11-13 11:50 . 2008-11-13 11:50      <DIR>      d--------      c:\program files\RealVNC
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\program files\BillP Studios
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\WinPatrol
2008-11-13 11:30 . 2008-11-13 11:30      <DIR>      d--------      c:\program files\Stampede
2008-11-13 11:29 . 2008-11-13 11:29      <DIR>      d--------      c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-11-13 11:13 . 2008-11-14 17:54      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-13 10:45 . 2008-11-13 10:45      <DIR>      d--------      c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2008-11-13 10:44 . 2008-11-13 10:44      <DIR>      d--------      c:\program files\Trend Micro
2008-11-12 18:35 . 2008-11-14 18:59      <DIR>      d--------      C:\fixwareout
2008-11-12 18:28 . 2008-11-12 18:28      <DIR>      d--------      c:\program files\Common Files\McAfee
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\Malwarebytes
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 11:17 . 2008-10-28 11:17      <DIR>      d--------      c:\program files\VideoLAN
2008-10-23 13:34 . 2008-10-23 13:34      <DIR>      d--------      c:\windows\system32\GroupPolicy.WksCache

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 22:55      ---------      d-----w      c:\program files\Common Files\AOL
2008-11-14 22:55      ---------      d-----w      c:\documents and settings\All Users\Application Data\AOL
2008-11-13 17:08      ---------      d-----w      c:\program files\Google
2008-11-13 17:01      ---------      d-----w      c:\program files\Common Files\Adobe
2008-11-13 15:42      ---------      d-----w      c:\program files\Java
2008-11-12 23:56      ---------      d-----w      c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 23:29      ---------      d-----w      c:\documents and settings\All Users\Application Data\McAfee
2008-11-06 14:33      ---------      d-----w      c:\program files\SafeBoot
2008-10-12 17:12      ---------      d-----w      c:\documents and settings\KCampbell\Application Data\Juniper Networks
2008-09-18 21:14      ---------      d-----w      c:\documents and settings\NetworkService\Application Data\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\program files\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\documents and settings\LocalService\Application Data\Juniper Networks
2008-09-15 11:57      1,846,016      ----a-w      c:\windows\system32\win32k.sys
2008-08-20 05:38      659,456      ------w      c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAL"="naldesk" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-15 29744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"imekrmig"="c:\program files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe" [2001-01-09 44544]
"imjpmig"="c:\program files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2001-02-20 192592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-08 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-08 151552]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2007-04-06 179712]
"SBMGRNT.EXE"="c:\progra~1\SafeBoot\SBMGRNT.EXE" [2007-08-21 49212]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"TrackPointSrv"="tp4serv.exe" [2005-07-12 c:\windows\system32\tp4serv.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TurboGold Notes Client.lnk - c:\program files\Stampede\TurboGold\Tgclui32.exe [2006-07-15 3196504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 08:17 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MOWRSSReader\\mowrssReader.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\WinZip\\WZSEPE32.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmlaunch.exe"=
"c:\\Program Files\\MathType\\MathType.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalAgent.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALDESK.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalDiag.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALNTSRV.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalView.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalWin.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALWIN32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NTSClient.exe"=
"c:\\Program Files\\Novell\\ZENworks\\WM.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMRUNDLL.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMSCHED.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\ZenTSApp.exe"=
"c:\\Program Files\\Novell\\ZENworks\\zwsreg.exe"=
"c:\\WINDOWS\\NOTEPAD.EXE"=
"c:\\WINDOWS\\system32\\nwtray.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaws.exe"=
"c:\\WINDOWS\\system32\\loginw32.exe"=
"c:\\WINDOWS\\system32\\ipconfig.exe"=
"c:\\WINDOWS\\system32\\iprntcfg.exe"=
"c:\\WINDOWS\\system32\\iprntcmd.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\Agent.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\AgentService.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpnclient.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\lotus\\notes\\notes.exe"=
"c:\\lotus\\notes\\ntaskldr.exe"=
"c:\\lotus\\notes\\nlnotes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\vpnstats.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\telnet.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\lotus\\notes\\AvTrapConnectionHolderSvr.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot
"21:TCP"= 21:TCP:FTP_PT
"23:TCP"= 23:TCP:Telnet_PT
"443:TCP"= 443:TCP:SSL_PT
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC_PT
"8443:TCP"= 8443:TCP:SSL2_PT
"1761:TCP"= 1761:TCP:ZENRD32_PT
"1762:TCP"= 1762:TCP:ZENRD_PT
"135:TCP"= 135:TCP:DUCS_PT

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-21 30267]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SBAlg.sys [2007-08-21 44848]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\Drivers\NEOFLTR_600_12507.SYS [2007-12-27 64160]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-10-18 34671]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [2007-02-05 31232]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-08-21 4752]
R1 SBFlop;SBFlop;c:\windows\system32\drivers\SBFlop.sys [2007-08-21 6096]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-08-21 14864]
R2 AgentService;AgentService;c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe [2007-04-06 5160960]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2007-04-06 36480]
R2 NICICCS;NICICCS;c:\windows\system32\drivers\NICICCS.sys [2003-08-22 456080]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;c:\program files\SafeBoot\SBMGRNT.EXE [2007-08-21 49212]
R2 XTAgent;Novell XTier Agent Services;c:\windows\System32\Novell\XTAgent.exe [2006-05-02 61440]
R3 BM;Novell Virtual Private Network Miniport;c:\windows\system32\DRIVERS\vptunnel.sys [2005-08-25 216364]
R3 Darpan;Darpan;c:\windows\system32\DRIVERS\Darpan.sys [2005-05-23 2773]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2005-07-12 13840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-15 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04b458b-e92c-11dc-a733-001b77066b52}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\KCampbell\Application Data\Mozilla\Firefox\Profiles\o6fbbwa9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.mymow.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\xmlparse.dll

PROCESS: c:\windows\Explorer.exe
-> c:\windows\system32\NWSHLXNT.dll
-> c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
-> c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\lotus\notes\nslsvice.exe
c:\lotus\notes\nsl.exe
c:\windows\system32\ibmpmsvc.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-11-14 19:17:57 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-15 00:17:51

Pre-Run: 39,947,325,440 bytes free
Post-Run: 39,880,818,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

301      --- E O F ---      2008-11-03 17:03:25
0
 

Author Comment

by:mowit
ID: 22956408
Oh my god it worked thank you
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22956969

I'm sorry I was offline and just got back.
Glad to know it's resolved.
D:\explorers.exe <-- if you didn't purposely create or if you don't know this file then run the script to remove the reg entry.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
D:\explorers.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 

Thanks for the points and the grade!
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question