Link to home
Start Free TrialLog in
Avatar of mowit
mowit

asked on

Link takes me to go.google

When the user tries to click on a google link or an msn link it takes them to a different website than the requested page.  The link initially says go.google.com.  I ran adware, mcafee antivirus, wearout fix, hijack this doesnt show anything.  We have done everything and cannot figure out whats going on.  Any help is greatly appreciated.
Avatar of snowalps
snowalps
try to scan with spybot and smitfraud. let me know if it gives any results.
Avatar of war1
war1
Flag of United States of America image
Hello mowit,

Sounds like you have a Wareout infection.  Use FixWareout to repair
http://downloads.subratam.org/Fixwareout.exe

Hope this helps!
war1
Avatar of David-Howard
David-Howard
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
Avatar of mowit
mowit

ASKER

Malwarebytes stop responding. I can no longer open the program. Fixwareout did nothing.
Avatar of war1
war1
Flag of United States of America image
Did you use FixWareout to remove the infection?
Avatar of mowit
mowit

ASKER

War1, we ran fixwareout and it did not fix anything.
Avatar of snowalps
snowalps
did you try my suggestion?
Avatar of mowit
mowit

ASKER

Yes I ran smitfaud. after some investigation using tcpview I can see a connection from the scvhost process to some static.reverse.ltdomains. I can't figure out what program or service is hosting this.
Avatar of mowit
mowit

ASKER

unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
c:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Stampede\TurboGold\Tgclui32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Spyware Tools\Monitor tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mowbackup01/ssws/faces/welcome.jsp?comId=3&configId=13
O1 - Hosts: 63.111.194.182 vpn1.mymow.com
O1 - Hosts: 63.111.194.15 vpn2.mymow.com
O1 - Hosts: 217.206.147.130 vpn3.mymow.com
O1 - Hosts: 63.111.194.11 vpn4.mymow.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NAL] naldesk
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboGold Notes Client.lnk = C:\Program Files\Stampede\TurboGold\Tgclui32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AgentService - Connected Corporation - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - c:\Program Files\Novell\ZENworks\wm.exe
O24 - Desktop Component 0: (no name) - (no file)
Avatar of David-Howard
David-Howard
From your log file.
O1 - Hosts: 63.111.194.182 vpn1.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.15 vpn2.mymow.com  
 Must be fixed!  
 O1 - Hosts: 217.206.147.130 vpn3.mymow.com  
 Must be fixed!  
 O1 - Hosts: 63.111.194.11 vpn4.mymow.com  
 Must be fixed!  
O24 - Desktop Component 0: (no name) - (no file)
You can paste your log file at www.hijackthis.de to view what I am talking about.
The items with red X's need to be removed.
David
Avatar of phototropic
phototropic
You might want to try a default hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

Download hosts.zip; unzip and run the mvps batch file.

Avatar of mowit
mowit

ASKER

Those entries are valid. I checked the host file already.
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mowit
mowit

ASKER

The funny thing is. I can't run any Antivirus/Antispayware software. Somethings blocking it.
Avatar of mowit
mowit

ASKER

Even in safemode
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
rename them first.

If those still won't run, re-download them and rename them before saving to your desktop. Bagle, TDSServ rootkit might be present there as well.
Avatar of mowit
mowit

ASKER

RPGgamergirl can we chat via instant messenger ? my email ***email removed by rpggamergirl, Zone Advisor***
Avatar of mowit
mowit

ASKER

Wow renaming worked.
Avatar of mowit
mowit

ASKER

ComboFix 08-11-12.01 - KCampbell 2008-11-14 19:08:26.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1611 [GMT -5:00]
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\TDSSrbxu.sys
c:\windows\system32\TDSShrtn.dll
c:\windows\system32\TDSShthc.dll
c:\windows\system32\TDSSjvme.dll
c:\windows\system32\TDSSkbfp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSpscp.dll
c:\windows\system32\TDSSsrgt.dll
c:\windows\system32\TDSStkxd.dat
c:\windows\system32\TDSSwxeq.log
c:\windows\system32\TDSSyhvf.log
D:\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://mowupdates.mymow.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


(((((((((((((((((((((((((   Files Created from 2008-10-15 to 2008-11-15  )))))))))))))))))))))))))))))))
.

2008-11-14 19:15 . 2008-11-14 19:15      53,248      --a------      c:\temp\catchme.dll
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\WPDNSE
2008-11-14 19:14 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\e4j2.tmp_dir24405
2008-11-14 19:14 . 2008-11-14 19:14      16,384      --a----t-      c:\temp\Perflib_Perfdata_630.dat
2008-11-14 18:20 . 2008-11-14 18:20      <DIR>      d--------      c:\program files\Windows Defender
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\program files\Spybot - Search & Destroy
2008-11-14 17:46 . 2008-11-14 17:46      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 16:57 . 2008-11-14 16:57      54,156      --ah-----      c:\windows\QTFont.qfn
2008-11-14 16:57 . 2008-11-14 16:57      1,409      --a------      c:\windows\QTFont.for
2008-11-13 13:59 . 2008-11-14 19:14      <DIR>      d--------      c:\temp\nshC.tmp
2008-11-13 13:59 . 2008-11-13 14:00      <DIR>      d--------      c:\program files\WinPcap
2008-11-13 12:06 . 2008-11-13 12:06      211,893      --a------      c:\windows\system32\drivers\IsDrv122.sys
2008-11-13 11:50 . 2008-11-13 11:50      <DIR>      d--------      c:\program files\RealVNC
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\program files\BillP Studios
2008-11-13 11:45 . 2008-11-13 11:45      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\WinPatrol
2008-11-13 11:30 . 2008-11-13 11:30      <DIR>      d--------      c:\program files\Stampede
2008-11-13 11:29 . 2008-11-13 11:29      <DIR>      d--------      c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-11-13 11:13 . 2008-11-14 17:54      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-13 10:45 . 2008-11-13 10:45      <DIR>      d--------      c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2008-11-13 10:44 . 2008-11-13 10:44      <DIR>      d--------      c:\program files\Trend Micro
2008-11-12 18:35 . 2008-11-14 18:59      <DIR>      d--------      C:\fixwareout
2008-11-12 18:28 . 2008-11-12 18:28      <DIR>      d--------      c:\program files\Common Files\McAfee
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\KCampbell\Application Data\Malwarebytes
2008-11-07 18:15 . 2008-11-07 18:15      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-28 11:17 . 2008-10-28 11:17      <DIR>      d--------      c:\program files\VideoLAN
2008-10-23 13:34 . 2008-10-23 13:34      <DIR>      d--------      c:\windows\system32\GroupPolicy.WksCache

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 22:55      ---------      d-----w      c:\program files\Common Files\AOL
2008-11-14 22:55      ---------      d-----w      c:\documents and settings\All Users\Application Data\AOL
2008-11-13 17:08      ---------      d-----w      c:\program files\Google
2008-11-13 17:01      ---------      d-----w      c:\program files\Common Files\Adobe
2008-11-13 15:42      ---------      d-----w      c:\program files\Java
2008-11-12 23:56      ---------      d-----w      c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 23:29      ---------      d-----w      c:\documents and settings\All Users\Application Data\McAfee
2008-11-06 14:33      ---------      d-----w      c:\program files\SafeBoot
2008-10-12 17:12      ---------      d-----w      c:\documents and settings\KCampbell\Application Data\Juniper Networks
2008-09-18 21:14      ---------      d-----w      c:\documents and settings\NetworkService\Application Data\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\program files\Juniper Networks
2008-09-18 13:38      ---------      d-----w      c:\documents and settings\LocalService\Application Data\Juniper Networks
2008-09-15 11:57      1,846,016      ----a-w      c:\windows\system32\win32k.sys
2008-08-20 05:38      659,456      ------w      c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAL"="naldesk" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-15 29744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"imekrmig"="c:\program files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe" [2001-01-09 44544]
"imjpmig"="c:\program files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2001-02-20 192592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-08 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-08 151552]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2007-04-06 179712]
"SBMGRNT.EXE"="c:\progra~1\SafeBoot\SBMGRNT.EXE" [2007-08-21 49212]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"TrackPointSrv"="tp4serv.exe" [2005-07-12 c:\windows\system32\tp4serv.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TurboGold Notes Client.lnk - c:\program files\Stampede\TurboGold\Tgclui32.exe [2006-07-15 3196504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 08:17 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MOWRSSReader\\mowrssReader.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\WinZip\\WZSEPE32.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmlaunch.exe"=
"c:\\Program Files\\MathType\\MathType.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalAgent.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALDESK.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalDiag.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALNTSRV.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NalView.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NalWin.exe"=
"c:\\Program Files\\Novell\\ZENworks\\NALWIN32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\NTSClient.exe"=
"c:\\Program Files\\Novell\\ZENworks\\WM.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMRUNDLL.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\WMSCHED.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\ZenTSApp.exe"=
"c:\\Program Files\\Novell\\ZENworks\\zwsreg.exe"=
"c:\\WINDOWS\\NOTEPAD.EXE"=
"c:\\WINDOWS\\system32\\nwtray.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaws.exe"=
"c:\\WINDOWS\\system32\\loginw32.exe"=
"c:\\WINDOWS\\system32\\ipconfig.exe"=
"c:\\WINDOWS\\system32\\iprntcfg.exe"=
"c:\\WINDOWS\\system32\\iprntcmd.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\Agent.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\AgentService.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpnclient.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\lotus\\notes\\notes.exe"=
"c:\\lotus\\notes\\ntaskldr.exe"=
"c:\\lotus\\notes\\nlnotes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\vpnstats.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\telnet.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\lotus\\notes\\AvTrapConnectionHolderSvr.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot
"21:TCP"= 21:TCP:FTP_PT
"23:TCP"= 23:TCP:Telnet_PT
"443:TCP"= 443:TCP:SSL_PT
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC_PT
"8443:TCP"= 8443:TCP:SSL2_PT
"1761:TCP"= 1761:TCP:ZENRD32_PT
"1762:TCP"= 1762:TCP:ZENRD_PT
"135:TCP"= 135:TCP:DUCS_PT

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-21 30267]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SBAlg.sys [2007-08-21 44848]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\Drivers\NEOFLTR_600_12507.SYS [2007-12-27 64160]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-10-18 34671]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [2007-02-05 31232]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-08-21 4752]
R1 SBFlop;SBFlop;c:\windows\system32\drivers\SBFlop.sys [2007-08-21 6096]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-08-21 14864]
R2 AgentService;AgentService;c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe [2007-04-06 5160960]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2007-04-06 36480]
R2 NICICCS;NICICCS;c:\windows\system32\drivers\NICICCS.sys [2003-08-22 456080]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;c:\program files\SafeBoot\SBMGRNT.EXE [2007-08-21 49212]
R2 XTAgent;Novell XTier Agent Services;c:\windows\System32\Novell\XTAgent.exe [2006-05-02 61440]
R3 BM;Novell Virtual Private Network Miniport;c:\windows\system32\DRIVERS\vptunnel.sys [2005-08-25 216364]
R3 Darpan;Darpan;c:\windows\system32\DRIVERS\Darpan.sys [2005-05-23 2773]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2005-07-12 13840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-15 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f04b458b-e92c-11dc-a733-001b77066b52}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
\Shell\Auto\command - D:\explorers.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorers.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\KCampbell\Application Data\Mozilla\Firefox\Profiles\o6fbbwa9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.mymow.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\xmlparse.dll

PROCESS: c:\windows\Explorer.exe
-> c:\windows\system32\NWSHLXNT.dll
-> c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
-> c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\lotus\notes\nslsvice.exe
c:\lotus\notes\nsl.exe
c:\windows\system32\ibmpmsvc.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-11-14 19:17:57 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-15 00:17:51

Pre-Run: 39,947,325,440 bytes free
Post-Run: 39,880,818,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

301      --- E O F ---      2008-11-03 17:03:25
Avatar of mowit
mowit

ASKER

Oh my god it worked thank you
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

I'm sorry I was offline and just got back.
Glad to know it's resolved.
D:\explorers.exe <-- if you didn't purposely create or if you don't know this file then run the script to remove the reg entry.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
D:\explorers.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03583282-a4f6-11dd-a7df-001b77066b52}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe15b351-651d-11dc-a620-001b77066b52}]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 

Thanks for the points and the grade!