TechSpot

[In progress] Workstations infected with Google redirect

By bgmartin2
May 19, 2011
Topic Status:
Not open for further replies.
  1. Hi, I am trying to repair two workstations that are infected with the google redirect virus. At this moment I am only concentrating on one of the workstations and do not know if the solution for this computer will work on the other. Both computers are windows 7.

    Here are the log files.

    Malwarebytes

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 6618
    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514
    5/19/2011 1:03:08 PM
    mbam-log-2011-05-19 (13-03-08).txt
    Scan type: Quick scan
    Objects scanned: 157913
    Time elapsed: 2 minute(s), 29 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER
    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-18 23:37:03
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3160815AS rev.3.ADA
    Running: 6hu8nidq.exe; Driver: C:\Users\Sharkey\AppData\Local\Temp\uwtorkob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13C1 8287A339 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B3D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9CBAB000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9CBAB123 629 Bytes [65, BA, 9C, FE, 05, 34, 65, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 5329 9CBAB399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 538F 9CBAB3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 543B 9CBAB4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
    PAGE ...
    ? C:\Users\Sharkey\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\lsm.exe[472] ntdll.dll!NtOpenProcess 77D95D88 5 Bytes JMP 00330010
    .text C:\Windows\system32\lsm.exe[472] ntdll.dll!NtTerminateProcess 77D968C8 5 Bytes JMP 00340010
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!EnableWindow 769A8D02 5 Bytes JMP 711DA855 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!GetAsyncKeyState 769AA256 5 Bytes JMP 711DB202 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CallNextHookEx 769AABE1 5 Bytes JMP 71223CC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!UnhookWindowsHookEx 769AADF9 5 Bytes JMP 712DD96F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetWindowsHookExW 769AE30C 5 Bytes JMP 71277DF1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateWindowExW 769AEC7C 5 Bytes JMP 712B384C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!GetKeyState 769B2B4D 5 Bytes JMP 711E0F61 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!IsDialogMessageW 769B4104 5 Bytes JMP 711DADAE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogParamA 769C1F42 5 Bytes JMP 713EE9C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!IsDialogMessage 769C2019 5 Bytes JMP 713EE202 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxParamW 769C3B9B 5 Bytes JMP 711E7F65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogIndirectParamA 769C721D 5 Bytes JMP 713EEA36 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogIndirectParamW 769CEA10 5 Bytes JMP 713EEA6D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxIndirectParamW 769D3B7F 5 Bytes JMP 713EDD30 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!EndDialog 769D3BA3 5 Bytes JMP 711DB000 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogParamW 769D5630 5 Bytes JMP 713EE9FF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetKeyboardState 769D695A 5 Bytes JMP 713EE567 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SendInput 769D7019 5 Bytes JMP 713EF18C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetCursorPos 769EC1B0 5 Bytes JMP 713EF1E4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxParamA 769ECF42 5 Bytes JMP 713EDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxIndirectParamA 769ED274 5 Bytes JMP 713EDD93 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxIndirectA 769FE869 5 Bytes JMP 713EDC62 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxIndirectW 769FE963 5 Bytes JMP 713EDBF7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxExA 769FE9C9 5 Bytes JMP 713EDB95 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxExW 769FE9ED 5 Bytes JMP 713EDB33 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!keybd_event 769FEC3B 5 Bytes JMP 713EF517 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] SHELL32.dll!RealDriveType + 173D 7710FE10 4 Bytes [A5, 35, C0, 6E]
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] SHELL32.dll!RealDriveType + 1745 7710FE18 8 Bytes [F3, 34, C0, 6E, 17, 73, BF, ...]
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] ole32.dll!OleLoadFromStream 76576143 5 Bytes JMP 713EE0A7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[600] ole32.dll!CoCreateInstance 765B9D0B 5 Bytes JMP 712B33DA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!CreateWindowExW 769AEC7C 5 Bytes JMP 712B384C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamW 769C3B9B 5 Bytes JMP 711E7F65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamW 769D3B7F 5 Bytes JMP 713EDD30 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamA 769ECF42 5 Bytes JMP 713EDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamA 769ED274 5 Bytes JMP 713EDD93 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectA 769FE869 5 Bytes JMP 713EDC62 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectW 769FE963 5 Bytes JMP 713EDBF7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExA 769FE9C9 5 Bytes JMP 713EDB95 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExW 769FE9ED 5 Bytes JMP 713EDB33 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000041 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS and Attach on next post
  2. bgmartin2

    bgmartin2 TS Rookie Topic Starter

    dds

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Sharkey at 23:02:15.47 on Wed 05/18/2011
    Internet Explorer: 8.0.7601.17514
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.1594 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k HPService
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
    C:\Windows\system32\sppsvc.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Program Files\Intuit\QuickBooks 2011\qbw32.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\System32\msdtc.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Intuit\QuickBooks 2011\QBHelp.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\LaCie\Genie Backup Assistant\GBM8.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Sharkey\Desktop\removal\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [LaCie Ethernet Agent Startup] c:\program files\lacie\network assistant\LaCie Network Assistant.exe
    uRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R1 MpKslc54a8de1;MpKslc54a8de1;c:\programdata\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\MpKslc54a8de1.sys [2011-5-18 28752]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-5-17 47640]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-3-5 1257760]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-17 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-17 1343400]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
    .
    =============== Created Last 30 ================
    .
    2011-05-18 19:30:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-18 19:29:47 -------- d-----w- c:\users\sharkey\appdata\local\Adobe
    2011-05-18 17:22:47 -------- d-----w- c:\windows\system32\URTTEMP
    2011-05-18 16:50:07 -------- d-----w- c:\users\sharkey\appdata\roaming\Malwarebytes
    2011-05-18 16:50:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-18 16:50:03 -------- d-----w- c:\progra~2\Malwarebytes
    2011-05-18 16:50:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-18 16:50:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-18 16:48:31 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{89964c0f-400c-41c7-a46e-f012b568afd2}\gapaengine.dll
    2011-05-18 16:48:31 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\MpKslc54a8de1.sys
    2011-05-18 16:48:25 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\mpengine.dll
    2011-05-18 16:47:23 -------- d-----w- c:\program files\Microsoft Security Client
    2011-05-18 16:36:30 -------- d-----w- c:\users\sharkey\appdata\roaming\Genie-Soft
    2011-05-18 16:32:57 -------- d-----w- c:\users\sharkey\appdata\local\LaCie
    2011-05-18 16:32:54 -------- d-----w- c:\program files\Bonjour
    2011-05-18 16:32:46 -------- d-----w- c:\program files\LaCie
    2011-05-18 16:22:47 -------- d-----w- c:\users\sharkey\appdata\local\HP
    2011-05-18 16:13:33 -------- d-----w- c:\program files\common files\HP
    2011-05-18 15:57:23 -------- d-----w- c:\program files\HP
    2011-05-18 15:00:17 -------- d-----w- c:\users\sharkey\appdata\roaming\HpUpdate
    2011-05-18 14:46:33 -------- d-----w- c:\program files\Microsoft
    2011-05-18 14:46:32 -------- d-----w- c:\program files\MSN Toolbar
    2011-05-18 14:46:23 -------- d-----w- c:\program files\Bing Bar Installer
    2011-05-18 14:46:01 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2011-05-18 14:45:16 319488 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp02t.dll
    2011-05-18 14:45:13 125440 ----a-w- c:\windows\system32\hpf3l02t.dll
    2011-05-18 14:43:34 970752 ----a-w- c:\windows\system32\hpwtiop4.dll
    2011-05-18 14:43:34 718336 ----a-w- c:\windows\system32\hpwwiax5.dll
    2011-05-18 14:43:34 454504 ----a-w- c:\windows\system32\hpzids01.dll
    2011-05-18 14:43:34 372736 ----a-w- c:\windows\system32\hppldcoi.dll
    2011-05-18 14:43:34 294912 ----a-w- c:\windows\system32\hpovst11.dll
    2011-05-18 14:40:56 -------- d-----w- C:\Drivers
    2011-05-18 14:37:49 319488 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfppw73.dll
    2011-05-18 14:36:18 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-05-18 14:23:20 98816 ----a-w- c:\windows\sed.exe
    2011-05-18 14:23:20 89088 ----a-w- c:\windows\MBR.exe
    2011-05-18 14:23:20 256512 ----a-w- c:\windows\PEV.exe
    2011-05-18 14:23:20 161792 ----a-w- c:\windows\SWREG.exe
    2011-05-18 14:14:47 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-05-18 14:14:12 -------- d-----w- c:\progra~2\Hitman Pro
    2011-05-18 02:02:43 -------- d-----w- c:\users\sharkey\appdata\local\{650664C6-8279-4914-9ABD-02CF3D97DBF6}
    2011-05-18 02:02:29 -------- d-----w- c:\users\sharkey\appdata\roaming\Windows Live Writer
    2011-05-18 02:02:29 -------- d-----w- c:\users\sharkey\appdata\local\Windows Live Writer
    2011-05-18 00:47:09 -------- d-----w- c:\users\sharkey\appdata\local\Windows Live
    2011-05-18 00:47:08 -------- d-----w- c:\program files\common files\Windows Live
    2011-05-18 00:26:05 -------- d-----w- c:\users\sharkey\appdata\local\Intuit
    2011-05-18 00:23:46 -------- d-----w- c:\program files\Intuit
    2011-05-18 00:23:46 -------- d-----w- c:\program files\common files\Intuit
    2011-05-18 00:23:46 -------- d-----w- c:\progra~2\Nuance
    2011-05-18 00:23:46 -------- d-----w- c:\progra~2\Intuit
    2011-05-18 00:23:37 -------- d-----w- c:\progra~2\SQL Anywhere 11
    2011-05-18 00:23:37 -------- d-----w- c:\progra~2\COMMON FILES
    2011-05-18 00:23:26 -------- d-----w- c:\program files\MSXML 4.0
    2011-05-18 00:22:01 -------- d-----w- c:\windows\Intuit
    2011-05-17 23:44:17 -------- d-----w- c:\windows\Panther
    2011-05-17 21:22:35 -------- d-----w- c:\users\sharkey\appdata\local\LogMeIn
    2011-05-17 21:22:33 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-05-17 21:22:33 29568 ----a-w- c:\windows\system32\LMIport.dll
    2011-05-17 21:22:32 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-05-17 21:22:32 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
    2011-05-17 21:22:29 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-05-17 21:22:24 -------- d-----w- c:\progra~2\LogMeIn
    2011-05-17 21:22:14 -------- d-----w- c:\program files\LogMeIn
    2011-05-17 21:21:11 -------- d-----w- c:\users\sharkey\appdata\local\Deployment
    2011-05-17 21:21:11 -------- d-----w- c:\users\sharkey\appdata\local\Apps
    2011-05-17 20:56:00 -------- d-----w- c:\windows\PCHEALTH
    2011-05-17 20:54:13 -------- d-----w- c:\program files\Microsoft Analysis Services
    2011-05-17 20:42:12 -------- d-----w- c:\windows\system32\SPReview
    2011-05-17 20:41:40 -------- d-----w- c:\windows\system32\EventProviders
    2011-05-17 20:39:59 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-05-17 20:26:28 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-05-17 20:24:58 -------- d-----w- c:\windows\system32\Wat
    2011-05-17 20:11:36 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{6901a395-5a50-419f-9dc8-6ff13232b1bb}\mpengine.dll
    2011-05-17 20:11:36 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-17 20:08:07 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-05-17 20:08:07 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-05-17 20:06:49 -------- d-----w- c:\users\sharkey\appdata\local\Microsoft Help
    2011-05-17 20:05:59 850944 ----a-w- c:\windows\system32\sbe.dll
    2011-05-17 20:02:33 -------- d-----w- c:\windows\system32\wbem\Performance
    2011-05-17 19:55:48 -------- d-sh--w- c:\windows\Installer
    2011-05-17 19:55:44 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-05-17 19:53:58 -------- d-----w- C:\Recovery
    .
    ==================== Find3M ====================
    .
    2011-05-17 20:45:22 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-03-12 11:23:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-07 05:33:13 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-03-07 03:52:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-03-03 05:38:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-03-03 05:36:16 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
    2011-02-25 05:30:54 2616320 ----a-w- c:\windows\explorer.exe
    2011-02-24 05:38:54 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-02-19 06:30:46 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-19 04:34:54 294912 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-18 05:43:28 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-18 05:39:44 31232 ----a-w- c:\windows\system32\prevhost.exe
    .
    ============= FINISH: 23:07:39.27 ===============
  3. bgmartin2

    bgmartin2 TS Rookie Topic Starter

    attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/17/2011 3:54:00 PM
    System Uptime: 5/18/2011 12:31:02 PM (11 hours ago)
    .
    Motherboard: Dell Inc. | | 0GN723
    Processor: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz | Socket 775 | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 117.67 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Officejet Pro 8500 A909a
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet Pro 8500 A909a
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP11: 5/17/2011 8:47:28 PM - Windows Live Essentials
    RP12: 5/17/2011 8:47:57 PM - WLSetup
    RP13: 5/18/2011 3:00:13 AM - Windows Update
    RP15: 5/18/2011 11:07:47 AM - Windows Live Essentials
    RP16: 5/18/2011 11:08:16 AM - WLSetup
    RP17: 5/18/2011 11:22:43 AM - Removed MPM
    RP18: 5/18/2011 11:50:40 AM - Removed MPM
    RP19: 5/18/2011 11:55:07 AM - Removed HP Update.
    RP20: 5/18/2011 12:35:38 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP21: 5/18/2011 12:47:13 PM - Windows Update
    RP22: 5/18/2011 1:22:20 PM - Installed Microsoft .NET Framework 1.1
    RP23: 5/18/2011 1:25:19 PM - Installed PrintMaster 16
    RP24: 5/18/2011 3:28:16 PM - Installed Adobe Reader X.
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    8500A909_eDocs
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.0.1)
    Bing Bar
    Bing Bar Platform
    Bonjour
    BPD_DSWizards
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Definition update for Microsoft Office 2010 (KB982726)
    Destinations
    DeviceDiscovery
    DocMgr
    DocProc
    Fax
    Genie Backup Assistant
    GPBaseService2
    HP Customer Participation Program 14.0
    HP Document Manager 2.0
    HP Imaging Device Functions 14.0
    HP Officejet Pro 8500 A909 Series
    HP Smart Web Printing 4.60
    HP Solution Center 14.0
    HP Update
    HPProductAssistant
    HPSSupply
    LaCie Network Assistant 1.4.1.35
    LogMeIn
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Default Manager
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Business 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Search Enhancement Pack
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    MPM
    MSXML 4.0 SP2 Parser and SDK
    Network
    NVIDIA Display Control Panel
    NVIDIA Drivers
    OCR Software by I.R.I.S. 14.0
    PVSonyDll
    QuickBooks
    QuickBooks Pro 2011
    Scan
    Security Update for Microsoft Excel 2010 (KB2466146)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft PowerPoint 2010 (KB2519975)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    Shop for HP Supplies
    SmartWebPrinting
    SolutionCenter
    Status
    Toolbox
    TrayApp
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft OneNote 2010 (KB2493983)
    Update for Microsoft Outlook Social Connector (KB2441641)
    WebReg
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/18/2011 9:33:07 AM, Error: Service Control Manager [7030] - The QBIDPService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    5/18/2011 12:22:27 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {10DA4F3C-CC99-4190-BE4D-58330754E882} and APPID {7DDEFEA6-98EE-4F13-A25B-EC83D9BC5541} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    5/18/2011 10:35:36 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    5/17/2011 5:02:04 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    5/17/2011 4:27:43 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80080005: Security Update for Windows 7 (KB2479943).
    5/17/2011 4:11:38 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Update for Windows 7 (KB2511250).
    5/17/2011 4:11:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows 7 (KB975560).
    5/17/2011 4:11:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows 7 (KB2479943).
    .
    ==== End Of File ===========================
  4. bgmartin2

    bgmartin2 TS Rookie Topic Starter

    Found a posting about resetting the linksys router because of invalid dns entries. I did this and am not being redirected at the moment. I will keep monitoring the computers and post by tomorrow if I need further assistance.

    Thank you.
  5. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    We'll be around :)
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    FYI only: Don't pay this program if it finds an entry and says it has to be removed:

    c:\windows\system32\drivers\hitmanpro35.sys
    c:\progra~2\Hitman Pro


    It appears that you installed and ran it the day after- 5/18- you ran DDS- 5/17. So it doesn't show in the installed programs.

    HitmanPro is a bundle of programs that are all free on the internet. Those programs are all fully functional in that they will find and remove bad entries.

    HitmanPro only removes entries free during the trial Period - after that, you have to pay for the 'bundle'!

    Even if you have resolved the program, I always recommend uninstalling HitmanPro- and if you paid them anything, ask for your money back!

    Back to you Broni if help is needed.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.