[In progress] Workstations infected with Google redirect

Status
Not open for further replies.
Hi, I am trying to repair two workstations that are infected with the google redirect virus. At this moment I am only concentrating on one of the workstations and do not know if the solution for this computer will work on the other. Both computers are windows 7.

Here are the log files.

Malwarebytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6618
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
5/19/2011 1:03:08 PM
mbam-log-2011-05-19 (13-03-08).txt
Scan type: Quick scan
Objects scanned: 157913
Time elapsed: 2 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-18 23:37:03
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3160815AS rev.3.ADA
Running: 6hu8nidq.exe; Driver: C:\Users\Sharkey\AppData\Local\Temp\uwtorkob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 8287A339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B3D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9CBAB000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9CBAB123 629 Bytes [65, BA, 9C, FE, 05, 34, 65, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 9CBAB399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 9CBAB3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B 9CBAB4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
? C:\Users\Sharkey\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\lsm.exe[472] ntdll.dll!NtOpenProcess 77D95D88 5 Bytes JMP 00330010
.text C:\Windows\system32\lsm.exe[472] ntdll.dll!NtTerminateProcess 77D968C8 5 Bytes JMP 00340010
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!EnableWindow 769A8D02 5 Bytes JMP 711DA855 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!GetAsyncKeyState 769AA256 5 Bytes JMP 711DB202 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CallNextHookEx 769AABE1 5 Bytes JMP 71223CC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!UnhookWindowsHookEx 769AADF9 5 Bytes JMP 712DD96F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetWindowsHookExW 769AE30C 5 Bytes JMP 71277DF1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateWindowExW 769AEC7C 5 Bytes JMP 712B384C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!GetKeyState 769B2B4D 5 Bytes JMP 711E0F61 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!IsDialogMessageW 769B4104 5 Bytes JMP 711DADAE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogParamA 769C1F42 5 Bytes JMP 713EE9C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!IsDialogMessage 769C2019 5 Bytes JMP 713EE202 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxParamW 769C3B9B 5 Bytes JMP 711E7F65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogIndirectParamA 769C721D 5 Bytes JMP 713EEA36 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogIndirectParamW 769CEA10 5 Bytes JMP 713EEA6D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxIndirectParamW 769D3B7F 5 Bytes JMP 713EDD30 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!EndDialog 769D3BA3 5 Bytes JMP 711DB000 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!CreateDialogParamW 769D5630 5 Bytes JMP 713EE9FF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetKeyboardState 769D695A 5 Bytes JMP 713EE567 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SendInput 769D7019 5 Bytes JMP 713EF18C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!SetCursorPos 769EC1B0 5 Bytes JMP 713EF1E4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxParamA 769ECF42 5 Bytes JMP 713EDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!DialogBoxIndirectParamA 769ED274 5 Bytes JMP 713EDD93 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxIndirectA 769FE869 5 Bytes JMP 713EDC62 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxIndirectW 769FE963 5 Bytes JMP 713EDBF7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxExA 769FE9C9 5 Bytes JMP 713EDB95 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!MessageBoxExW 769FE9ED 5 Bytes JMP 713EDB33 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] USER32.dll!keybd_event 769FEC3B 5 Bytes JMP 713EF517 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] SHELL32.dll!RealDriveType + 173D 7710FE10 4 Bytes [A5, 35, C0, 6E]
.text C:\Program Files\Internet Explorer\iexplore.exe[600] SHELL32.dll!RealDriveType + 1745 7710FE18 8 Bytes [F3, 34, C0, 6E, 17, 73, BF, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[600] ole32.dll!OleLoadFromStream 76576143 5 Bytes JMP 713EE0A7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[600] ole32.dll!CoCreateInstance 765B9D0B 5 Bytes JMP 712B33DA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!CreateWindowExW 769AEC7C 5 Bytes JMP 712B384C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamW 769C3B9B 5 Bytes JMP 711E7F65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamW 769D3B7F 5 Bytes JMP 713EDD30 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamA 769ECF42 5 Bytes JMP 713EDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamA 769ED274 5 Bytes JMP 713EDD93 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectA 769FE869 5 Bytes JMP 713EDC62 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectW 769FE963 5 Bytes JMP 713EDBF7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExA 769FE9C9 5 Bytes JMP 713EDB95 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExW 769FE9ED 5 Bytes JMP 713EDB33 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000041 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS and Attach on next post
 
dds

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sharkey at 23:02:15.47 on Wed 05/18/2011
Internet Explorer: 8.0.7601.17514
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.1594 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Windows\system32\sppsvc.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Intuit\QuickBooks 2011\qbw32.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Intuit\QuickBooks 2011\QBHelp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\LaCie\Genie Backup Assistant\GBM8.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sharkey\Desktop\removal\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [LaCie Ethernet Agent Startup] c:\program files\lacie\network assistant\LaCie Network Assistant.exe
uRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslc54a8de1;MpKslc54a8de1;c:\programdata\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\MpKslc54a8de1.sys [2011-5-18 28752]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-5-17 47640]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-3-5 1257760]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-17 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-17 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
.
=============== Created Last 30 ================
.
2011-05-18 19:30:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 19:29:47 -------- d-----w- c:\users\sharkey\appdata\local\Adobe
2011-05-18 17:22:47 -------- d-----w- c:\windows\system32\URTTEMP
2011-05-18 16:50:07 -------- d-----w- c:\users\sharkey\appdata\roaming\Malwarebytes
2011-05-18 16:50:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-18 16:50:03 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-18 16:50:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 16:50:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-18 16:48:31 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{89964c0f-400c-41c7-a46e-f012b568afd2}\gapaengine.dll
2011-05-18 16:48:31 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\MpKslc54a8de1.sys
2011-05-18 16:48:25 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e5daaf58-9b98-4d9b-a2a3-ef5609c62024}\mpengine.dll
2011-05-18 16:47:23 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-18 16:36:30 -------- d-----w- c:\users\sharkey\appdata\roaming\Genie-Soft
2011-05-18 16:32:57 -------- d-----w- c:\users\sharkey\appdata\local\LaCie
2011-05-18 16:32:54 -------- d-----w- c:\program files\Bonjour
2011-05-18 16:32:46 -------- d-----w- c:\program files\LaCie
2011-05-18 16:22:47 -------- d-----w- c:\users\sharkey\appdata\local\HP
2011-05-18 16:13:33 -------- d-----w- c:\program files\common files\HP
2011-05-18 15:57:23 -------- d-----w- c:\program files\HP
2011-05-18 15:00:17 -------- d-----w- c:\users\sharkey\appdata\roaming\HpUpdate
2011-05-18 14:46:33 -------- d-----w- c:\program files\Microsoft
2011-05-18 14:46:32 -------- d-----w- c:\program files\MSN Toolbar
2011-05-18 14:46:23 -------- d-----w- c:\program files\Bing Bar Installer
2011-05-18 14:46:01 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-05-18 14:45:16 319488 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp02t.dll
2011-05-18 14:45:13 125440 ----a-w- c:\windows\system32\hpf3l02t.dll
2011-05-18 14:43:34 970752 ----a-w- c:\windows\system32\hpwtiop4.dll
2011-05-18 14:43:34 718336 ----a-w- c:\windows\system32\hpwwiax5.dll
2011-05-18 14:43:34 454504 ----a-w- c:\windows\system32\hpzids01.dll
2011-05-18 14:43:34 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-18 14:43:34 294912 ----a-w- c:\windows\system32\hpovst11.dll
2011-05-18 14:40:56 -------- d-----w- C:\Drivers
2011-05-18 14:37:49 319488 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfppw73.dll
2011-05-18 14:36:18 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-18 14:23:20 98816 ----a-w- c:\windows\sed.exe
2011-05-18 14:23:20 89088 ----a-w- c:\windows\MBR.exe
2011-05-18 14:23:20 256512 ----a-w- c:\windows\PEV.exe
2011-05-18 14:23:20 161792 ----a-w- c:\windows\SWREG.exe
2011-05-18 14:14:47 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-18 14:14:12 -------- d-----w- c:\progra~2\Hitman Pro
2011-05-18 02:02:43 -------- d-----w- c:\users\sharkey\appdata\local\{650664C6-8279-4914-9ABD-02CF3D97DBF6}
2011-05-18 02:02:29 -------- d-----w- c:\users\sharkey\appdata\roaming\Windows Live Writer
2011-05-18 02:02:29 -------- d-----w- c:\users\sharkey\appdata\local\Windows Live Writer
2011-05-18 00:47:09 -------- d-----w- c:\users\sharkey\appdata\local\Windows Live
2011-05-18 00:47:08 -------- d-----w- c:\program files\common files\Windows Live
2011-05-18 00:26:05 -------- d-----w- c:\users\sharkey\appdata\local\Intuit
2011-05-18 00:23:46 -------- d-----w- c:\program files\Intuit
2011-05-18 00:23:46 -------- d-----w- c:\program files\common files\Intuit
2011-05-18 00:23:46 -------- d-----w- c:\progra~2\Nuance
2011-05-18 00:23:46 -------- d-----w- c:\progra~2\Intuit
2011-05-18 00:23:37 -------- d-----w- c:\progra~2\SQL Anywhere 11
2011-05-18 00:23:37 -------- d-----w- c:\progra~2\COMMON FILES
2011-05-18 00:23:26 -------- d-----w- c:\program files\MSXML 4.0
2011-05-18 00:22:01 -------- d-----w- c:\windows\Intuit
2011-05-17 23:44:17 -------- d-----w- c:\windows\Panther
2011-05-17 21:22:35 -------- d-----w- c:\users\sharkey\appdata\local\LogMeIn
2011-05-17 21:22:33 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-05-17 21:22:33 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-05-17 21:22:32 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-05-17 21:22:32 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-05-17 21:22:29 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-05-17 21:22:24 -------- d-----w- c:\progra~2\LogMeIn
2011-05-17 21:22:14 -------- d-----w- c:\program files\LogMeIn
2011-05-17 21:21:11 -------- d-----w- c:\users\sharkey\appdata\local\Deployment
2011-05-17 21:21:11 -------- d-----w- c:\users\sharkey\appdata\local\Apps
2011-05-17 20:56:00 -------- d-----w- c:\windows\PCHEALTH
2011-05-17 20:54:13 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-05-17 20:42:12 -------- d-----w- c:\windows\system32\SPReview
2011-05-17 20:41:40 -------- d-----w- c:\windows\system32\EventProviders
2011-05-17 20:39:59 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-05-17 20:26:28 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-17 20:24:58 -------- d-----w- c:\windows\system32\Wat
2011-05-17 20:11:36 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{6901a395-5a50-419f-9dc8-6ff13232b1bb}\mpengine.dll
2011-05-17 20:11:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-17 20:08:07 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-17 20:08:07 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-17 20:06:49 -------- d-----w- c:\users\sharkey\appdata\local\Microsoft Help
2011-05-17 20:05:59 850944 ----a-w- c:\windows\system32\sbe.dll
2011-05-17 20:02:33 -------- d-----w- c:\windows\system32\wbem\Performance
2011-05-17 19:55:48 -------- d-sh--w- c:\windows\Installer
2011-05-17 19:55:44 -------- d-----w- c:\program files\NVIDIA Corporation
2011-05-17 19:53:58 -------- d-----w- C:\Recovery
.
==================== Find3M ====================
.
2011-05-17 20:45:22 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-03-12 11:23:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 05:33:13 981504 ----a-w- c:\windows\system32\wininet.dll
2011-03-07 03:52:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-03 05:38:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36:16 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-25 05:30:54 2616320 ----a-w- c:\windows\explorer.exe
2011-02-24 05:38:54 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 06:30:46 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 04:34:54 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-18 05:43:28 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-18 05:39:44 31232 ----a-w- c:\windows\system32\prevhost.exe
.
============= FINISH: 23:07:39.27 ===============
 
attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/17/2011 3:54:00 PM
System Uptime: 5/18/2011 12:31:02 PM (11 hours ago)
.
Motherboard: Dell Inc. | | 0GN723
Processor: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz | Socket 775 | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 117.67 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet Pro 8500 A909a
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet Pro 8500 A909a
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP11: 5/17/2011 8:47:28 PM - Windows Live Essentials
RP12: 5/17/2011 8:47:57 PM - WLSetup
RP13: 5/18/2011 3:00:13 AM - Windows Update
RP15: 5/18/2011 11:07:47 AM - Windows Live Essentials
RP16: 5/18/2011 11:08:16 AM - WLSetup
RP17: 5/18/2011 11:22:43 AM - Removed MPM
RP18: 5/18/2011 11:50:40 AM - Removed MPM
RP19: 5/18/2011 11:55:07 AM - Removed HP Update.
RP20: 5/18/2011 12:35:38 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP21: 5/18/2011 12:47:13 PM - Windows Update
RP22: 5/18/2011 1:22:20 PM - Installed Microsoft .NET Framework 1.1
RP23: 5/18/2011 1:25:19 PM - Installed PrintMaster 16
RP24: 5/18/2011 3:28:16 PM - Installed Adobe Reader X.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
8500A909_eDocs
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Bing Bar
Bing Bar Platform
Bonjour
BPD_DSWizards
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Definition update for Microsoft Office 2010 (KB982726)
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Genie Backup Assistant
GPBaseService2
HP Customer Participation Program 14.0
HP Document Manager 2.0
HP Imaging Device Functions 14.0
HP Officejet Pro 8500 A909 Series
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPProductAssistant
HPSSupply
LaCie Network Assistant 1.4.1.35
LogMeIn
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MPM
MSXML 4.0 SP2 Parser and SDK
Network
NVIDIA Display Control Panel
NVIDIA Drivers
OCR Software by I.R.I.S. 14.0
PVSonyDll
QuickBooks
QuickBooks Pro 2011
Scan
Security Update for Microsoft Excel 2010 (KB2466146)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft PowerPoint 2010 (KB2519975)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Status
Toolbox
TrayApp
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft OneNote 2010 (KB2493983)
Update for Microsoft Outlook Social Connector (KB2441641)
WebReg
.
==== Event Viewer Messages From Past Week ========
.
5/18/2011 9:33:07 AM, Error: Service Control Manager [7030] - The QBIDPService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
5/18/2011 12:22:27 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {10DA4F3C-CC99-4190-BE4D-58330754E882} and APPID {7DDEFEA6-98EE-4F13-A25B-EC83D9BC5541} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
5/18/2011 10:35:36 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
5/17/2011 5:02:04 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
5/17/2011 4:27:43 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80080005: Security Update for Windows 7 (KB2479943).
5/17/2011 4:11:38 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Update for Windows 7 (KB2511250).
5/17/2011 4:11:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows 7 (KB975560).
5/17/2011 4:11:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows 7 (KB2479943).
.
==== End Of File ===========================
 
Found a posting about resetting the linksys router because of invalid dns entries. I did this and am not being redirected at the moment. I will keep monitoring the computers and post by tomorrow if I need further assistance.

Thank you.
 
FYI only: Don't pay this program if it finds an entry and says it has to be removed:

c:\windows\system32\drivers\hitmanpro35.sys
c:\progra~2\Hitman Pro


It appears that you installed and ran it the day after- 5/18- you ran DDS- 5/17. So it doesn't show in the installed programs.

HitmanPro is a bundle of programs that are all free on the internet. Those programs are all fully functional in that they will find and remove bad entries.

HitmanPro only removes entries free during the trial Period - after that, you have to pay for the 'bundle'!

Even if you have resolved the program, I always recommend uninstalling HitmanPro- and if you paid them anything, ask for your money back!

Back to you Broni if help is needed.
 
Status
Not open for further replies.
Back