Inactive Virus and Malware Removal (Internet Explorer randomly redirecting)

Status
Not open for further replies.
My Dell Latitude E6500 lapto is from an employee I replaced at the company I work for. Not sure if there were issues before me, but I definitely need help. My computer had a bunch of malware and spyware on it and it basically shut my system down. The IT dept, told me it was removed, but it's still acting weird. Like everytime I do a Google search and click a link, I am automatically redirected to some other website. I googled the internet issue and found a bunch of sites and tried a few different things, but I think I may have downloaded more junk. Anyway, I finally found this site and followed the posted instructions on the 8-step Viruses/Spyware/Malware Preliminary Removal thread. I hope you can help or at least lead me in the right direction.

• Malwarebytes Anti-Malware log

Nothing found

• GMER log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-19 01:31:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD80 rev.11.0
Running: 6fi7y26k.exe; Driver: C:\DOCUME~1\pbest\LOCALS~1\Temp\pfrorpob.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

• DDS logs: both DDS.txt and Attach.txt

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by pbest at 0:32:50.93 on Tue 04/19/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2811 [GMT -4:00]
.
AV: Best Malware Protection *Enabled/Updated* {B5AAA9CF-B3A8-45E5-B21A-61A68DEADA7F}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Best Malware Protection *Enabled*
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\pbest\My Documents\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Settings,ProxyServer = 10.201.1.2:80
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Telephony Toolbar Services: {431a60e6-675f-4b9f-b3f0-66e0fecc8b34} - c:\program files\evolve ip\assistant\bin\BW_Assistant_Enterprise_IE_S.dll
BHO: Telephony Toolbar Call Control: {8f1ff1a7-c048-4d6b-b052-56e42ce427cb} - c:\program files\evolve ip\assistant\bin\BW_Assistant_Enterprise_IE_CC.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Telephony Toolbar Call Control: {6f6690b9-c5db-4f08-8833-f2ef4dee956b} - c:\program files\evolve ip\assistant\bin\BW_Assistant_Enterprise_IE_CC.dll
TB: Telephony Toolbar Services: {f10d927f-d3df-4734-98ab-dd258253f5fd} - c:\program files\evolve ip\assistant\bin\BW_Assistant_Enterprise_IE_S.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [C:!Documents and Settings!pbest!Local Settings!Application Data!Google!Chrome!User Data_service_run] "c:\documents and settings\pbest\local settings\application data\google\chrome\application\chrome.exe" --type=service
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251312057953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251312563875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: image file execution options - svchost.exe
Hosts: 64.27.10.42 www.google.com
Hosts: 64.27.10.42 www.google.com.au
Hosts: 64.27.10.42 www.google.be
Hosts: 64.27.10.42 www.google.com.br
Hosts: 64.27.10.42 www.google.ca
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 NHostNT1;Numara Remote Control Driver 1 ver. 9.00 (2007058);c:\windows\system32\drivers\NHOSTNT1.SYS [2009-8-31 92432]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-17 108392]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168]
R2 NetOp Host for NT Service;Numara Remote Control Helper ver. 9.00 (2007058);c:\program files\numara software\remote\host\NHOSTSVC.EXE [2009-8-31 1499408]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-5-12 2440632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-26 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-8-26 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-8-26 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110417.004\NAVENG.SYS [2011-4-18 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110417.004\NAVEX15.SYS [2011-4-18 1393144]
R3 NHOSTNT3;Numara Remote Control Driver 3 ver. 9.00 (2007058) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [2009-8-31 3216]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-7 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-7-8 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [2010-7-8 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [2010-7-8 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [2010-7-8 176384]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2009-8-27 58240]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-19 03:08:07 -------- d-----w- c:\program files\VS Revo Group
2011-04-19 02:57:29 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-04-19 02:57:25 -------- d-----w- c:\program files\Search Toolbar
2011-04-18 23:25:59 -------- d-----w- c:\docume~1\pbest\applic~1\DriverCure
2011-04-18 23:25:58 -------- d-----w- c:\docume~1\pbest\applic~1\ParetoLogic
2011-04-18 23:25:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-15 15:44:27 -------- d-----w- c:\docume~1\pbest\applic~1\Blackberry Desktop
2011-04-14 18:27:30 -------- d-----w- c:\docume~1\pbest\applic~1\Malwarebytes
2011-04-14 18:24:13 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\BMJCP
2011-04-14 18:23:12 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\6576a5
2011-04-11 15:07:35 -------- d-----w- c:\docume~1\pbest\applic~1\ElevatedDiagnostics
2011-04-11 15:03:33 -------- d--h--w- c:\windows\PIF
2011-04-09 05:13:09 -------- d-----w- c:\windows\system32\NtmsData
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33:15 69632 ----a-r- c:\docume~1\pbest\applic~1\microsoft\installer\{ce86e2f5-850c-4207-94a3-a58d647b1733}\DesktopMgr.exe
2011-04-07 01:21:37 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\Google
2011-04-07 01:20:15 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\Deployment
2011-04-06 16:56:40 -------- d-----w- c:\docume~1\pbest\applic~1\Autodesk
2011-04-06 16:22:44 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\PCHealth
2011-04-06 15:58:42 -------- d-----w- c:\program files\PamperedPartnerPlus
2011-03-25 16:08:26 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-03-25 16:07:07 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\Research In Motion
2011-03-25 12:51:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Verizon
2011-03-25 12:51:43 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\V CAST Media Manager
2011-03-25 12:50:27 -------- d-----w- c:\program files\Verizon V CAST Media Manager
2011-03-25 12:42:06 -------- d-----w- c:\program files\HTC
2011-03-25 12:41:58 4621840 ----a-w- c:\temp\drivers.exe
2011-03-25 12:41:43 -------- d-----w- C:\Temp
2011-03-23 23:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Verizon Wireless
2011-03-23 23:52:23 -------- d-----w- c:\program files\Novatel Wireless
2011-03-23 23:51:49 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\Downloaded Installations
2011-03-23 23:33:13 -------- d-----w- c:\docume~1\pbest\applic~1\Smith Micro
2011-03-23 15:18:25 -------- d-----w- c:\docume~1\pbest\locals~1\applic~1\Temp
2011-03-22 15:36:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2011-03-21 18:19:31 -------- d-----w- c:\documents and settings\pbest\Bluetooth Software
2011-03-21 16:16:25 -------- d-----w- c:\docume~1\pbest\applic~1\Windows Search
2011-03-21 15:30:53 -------- d-----w- c:\docume~1\pbest\applic~1\Research In Motion
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 0:33:24.07 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume3
Install Date: 8/26/2009 1:18:40 PM
System Uptime: 4/19/2011 12:14:45 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0X564R
Processor: Intel Pentium III Xeon processor | Microprocessor | 2526/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 72 GiB total, 40.092 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 1.128 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D076621344FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\D076621344FC000
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP1: 4/14/2011 5:32:10 PM - System Checkpoint
RP2: 4/14/2011 5:32:56 PM - Software Distribution Service 3.0
RP3: 4/18/2011 10:06:37 AM - System Checkpoint
RP4: 4/18/2011 10:57:33 PM - Printer Driver FoxTab PDF Virtual Printer Installed
RP5: 4/18/2011 11:16:24 PM - Revo Uninstaller's restore point - FoxTab PDF Converter
RP6: 4/18/2011 11:22:36 PM - Revo Uninstaller's restore point - Learn.com Player (Uninstall Only)
.
==== Hosts File Hijack ======================
.
Hosts: 64.27.10.42 www.google.com
Hosts: 64.27.10.42 www.google.com.au
Hosts: 64.27.10.42 www.google.be
Hosts: 64.27.10.42 www.google.com.br
Hosts: 64.27.10.42 www.google.ca
Hosts: 64.27.10.42 www.google.ch
Hosts: 64.27.10.42 www.google.de
Hosts: 64.27.10.42 www.google.dk
Hosts: 64.27.10.42 www.google.fr
Hosts: 64.27.10.42 www.google.ie
Hosts: 64.27.10.42 www.google.it
Hosts: 64.27.10.42 www.google.co.jp
Hosts: 64.27.10.42 www.google.nl
Hosts: 64.27.10.42 www.google.no
Hosts: 64.27.10.42 www.google.co.nz
Hosts: 64.27.10.42 www.google.pl
Hosts: 64.27.10.42 www.google.se
Hosts: 64.27.10.42 www.google.co.uk
Hosts: 64.27.10.42 www.google.co.za
Hosts: 64.27.10.42 www.bing.com
Hosts: 64.27.10.42 search.yahoo.com
Hosts: 64.27.10.42 uk.search.yahoo.com
Hosts: 64.27.10.42 ca.search.yahoo.com
Hosts: 64.27.10.42 de.search.yahoo.com
Hosts: 64.27.10.42 fr.search.yahoo.com
Hosts: 64.27.10.42 au.search.yahoo.com
Hosts: 64.27.10.42 www.google-analytics.com
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acrobat.com
ActiveFax
Adobe Acrobat 9 Standard
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
AEPlans - IDM
All Day Battery Life Configuration
Autodesk Design Review 2008
AutoQuotes
AutoQuotes 360
BioAPI Framework
BlackBerry Desktop Software 6.0.2
Broadcom USH Host Components
Cisco Systems VPN Client 5.0.00.0340
Dell ControlPoint System Manager
Dell Resource CD
Dell Security Device Driver Pack
Dell Touchpad
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IDT Audio
Intel PROSet Wireless
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
iSqFt Full Viewer V4.01
Java Auto Updater
Java(TM) 6 Update 24
KIP Request 7
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
MaxView
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Numara Remote Control Host
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PANTECH PC Card Software
PowerDVD
Revo Uninstaller 1.92
RICOH R5C83x/84x Media Driver Ver.3.53.02
Search Toolbar
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection
The Evolved Office Assistant 16 (16.0.192.1) MB6
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Mobile Broadband Drivers
Verizon V CAST Media Manager
Verizon Wireless PC770 Firmware Updates
VZAccess Manager
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
WModem Driver Installer
.
==== Event Viewer Messages From Past Week ========
.
4/14/2011 9:03:17 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
4/13/2011 10:50:21 PM, error: NETLOGON [5719] - No Domain Controller is available for domain HQDCSEC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================
 
Welcome to TechSpot! The host files have been hijacked. I'd like to see the Mbam log please.

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

  • [1]. Shut down your computer, and any other computer connected to your router.
    [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    [3]. Unplug the router. Wait sixty seconds.
    [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    [5].With the router unplugged, start your computer. Run MBAM again.
    [6].Connect to the router again. The turn the router back on.
    [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
==============================
When finished:Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
==========================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
C:\Program Files\EsetOnlineScanner\log.txt

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3b91e965f7019c499138d57ab502b70f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-21 02:20:46
# local_time=2011-04-21 10:20:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=58875
# found=2
# cleaned=0
# scan_time=1344
C:\Documents and Settings\All Users\Application Data\6576a5\681.mof Win32/RogueAV.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
 
C:\ComboFix.txt

ComboFix 11-04-20.04 - pbest 04/21/2011 12:06:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2682 [GMT -4:00]
Running from: c:\documents and settings\pbest\My Documents\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ahofmann\WINDOWS
c:\documents and settings\All Users\Application Data\6576a5
c:\documents and settings\All Users\Application Data\6576a5\681.mof
c:\documents and settings\All Users\Application Data\6576a5\BackUp\Bluetooth.lnk
c:\documents and settings\All Users\Application Data\6576a5\BackUp\Dell ControlPoint System Manager.lnk
c:\documents and settings\All Users\Application Data\6576a5\BackUp\VPN Client.lnk
c:\documents and settings\All Users\Application Data\6576a5\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\6576a5\BMP.ico
c:\documents and settings\pbest\Recent\ANTIGEN.sys
c:\documents and settings\pbest\Recent\cb.sys
c:\documents and settings\pbest\Recent\ddv.sys
c:\documents and settings\pbest\Recent\dudl.tmp
c:\documents and settings\pbest\Recent\eb.tmp
c:\documents and settings\pbest\Recent\energy.tmp
c:\documents and settings\pbest\Recent\exec.drv
c:\documents and settings\pbest\Recent\fan.dll
c:\documents and settings\pbest\Recent\fix.drv
c:\documents and settings\pbest\Recent\fix.sys
c:\documents and settings\pbest\Recent\kernel32.dll
c:\documents and settings\pbest\Recent\kernel32.exe
c:\documents and settings\pbest\Recent\PE.drv
c:\documents and settings\pbest\Recent\PE.tmp
c:\documents and settings\pbest\Recent\ppal.dll
c:\documents and settings\pbest\Recent\sld.exe
c:\documents and settings\pbest\Recent\SM.exe
C:\install.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\Thumbs.db
c:\windows\sv.ini
c:\windows\system32\Thumbs.db
D:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 14:56 . 2011-04-21 14:56 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Ilivid Player
2011-04-21 14:56 . 2011-04-21 14:56 -------- d-----w- c:\documents and settings\pbest\Application Data\searchquband
2011-04-21 14:54 . 2011-04-21 14:56 -------- d-----w- c:\documents and settings\pbest\Application Data\searchqutoolbar
2011-04-21 14:54 . 2011-04-21 14:54 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-04-21 14:54 . 2011-04-21 14:54 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\PackageAware
2011-04-21 13:43 . 2011-04-21 13:43 -------- d-----w- c:\program files\ESET
2011-04-19 04:47 . 2011-04-19 04:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-19 04:47 . 2011-04-19 04:47 -------- d-----w- c:\program files\Java
2011-04-19 03:08 . 2011-04-19 03:08 -------- d-----w- c:\program files\VS Revo Group
2011-04-19 02:57 . 2007-08-21 17:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-04-18 23:25 . 2011-04-18 23:25 -------- d-----w- c:\documents and settings\pbest\Application Data\DriverCure
2011-04-18 23:25 . 2011-04-18 23:25 -------- d-----w- c:\documents and settings\pbest\Application Data\ParetoLogic
2011-04-18 23:25 . 2011-04-19 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-04-15 15:44 . 2011-04-15 15:44 -------- d-----w- c:\documents and settings\pbest\Application Data\Blackberry Desktop
2011-04-14 19:35 . 2011-04-14 19:35 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-04-14 18:59 . 2011-04-14 18:59 -------- d-----w- c:\documents and settings\administrator\Application Data\Malwarebytes
2011-04-14 18:27 . 2011-04-14 18:27 -------- d-----w- c:\documents and settings\pbest\Application Data\Malwarebytes
2011-04-14 18:24 . 2011-04-14 18:24 -------- d-sh--w- c:\documents and settings\All Users\Application Data\BMJCP
2011-04-11 15:07 . 2011-04-11 15:07 -------- d-----w- c:\documents and settings\pbest\Application Data\ElevatedDiagnostics
2011-04-11 15:03 . 2011-04-11 15:03 -------- d--h--w- c:\windows\PIF
2011-04-09 05:13 . 2011-04-09 05:16 -------- d-----w- c:\windows\system32\NtmsData
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-04-08 20:33 . 2011-04-08 20:33 69632 ----a-r- c:\documents and settings\pbest\Application Data\Microsoft\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\DesktopMgr.exe
2011-04-07 18:10 . 2011-04-07 18:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-04-07 18:05 . 2011-04-07 18:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-04-07 18:05 . 2011-04-07 18:05 -------- d-----w- c:\program files\Google
2011-04-07 01:21 . 2011-04-15 18:10 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Google
2011-04-07 01:20 . 2011-04-07 01:21 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Deployment
2011-04-06 16:56 . 2011-04-06 16:56 -------- d-----w- c:\documents and settings\pbest\Application Data\Autodesk
2011-04-06 16:22 . 2011-04-06 16:22 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\PCHealth
2011-04-06 15:58 . 2011-04-12 20:14 -------- d-----w- c:\program files\PamperedPartnerPlus
2011-04-05 18:11 . 2011-04-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2011-03-25 16:08 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-03-25 16:07 . 2011-03-25 16:07 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Research In Motion
2011-03-25 12:52 . 2011-04-21 15:21 -------- d-----w- c:\documents and settings\pbest\Application Data\vlc
2011-03-25 12:51 . 2011-03-25 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2011-03-25 12:51 . 2011-04-10 00:38 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\V CAST Media Manager
2011-03-25 12:50 . 2011-03-25 12:51 -------- d-----w- c:\program files\Verizon V CAST Media Manager
2011-03-25 12:42 . 2011-03-25 12:42 -------- d-----w- c:\program files\HTC
2011-03-25 12:41 . 2010-07-07 12:14 4621840 ----a-w- c:\temp\drivers.exe
2011-03-25 12:41 . 2011-03-25 12:41 -------- d-----w- C:\Temp
2011-03-23 23:54 . 2011-03-23 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2011-03-23 23:52 . 2011-03-23 23:52 -------- d-----w- c:\program files\Novatel Wireless
2011-03-23 23:51 . 2011-03-23 23:51 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Downloaded Installations
2011-03-23 23:51 . 2011-03-23 23:51 -------- d-----w- c:\documents and settings\pbest\Application Data\InstallShield
2011-03-23 23:33 . 2011-03-23 23:33 -------- d-----w- c:\documents and settings\pbest\Application Data\Smith Micro
2011-03-23 15:18 . 2011-04-07 02:38 -------- d-----w- c:\documents and settings\pbest\Local Settings\Application Data\Temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-19 04:47 . 2011-03-16 19:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2009-08-26 17:15 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-13 23:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-13 23:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-13 23:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-13 23:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-26 20:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 22:56 . 2010-06-16 17:53 64000 ----a-w- c:\windows\system32\drivers\RimUsb.sys
2011-02-15 12:56 . 2008-04-13 23:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-13 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-13 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-13 23:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-13 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-08-26 17:14 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-08-26 17:14 677888 ----a-w- c:\windows\system32\mstsc.exe
2001-12-03 21:09 . 2009-08-28 18:06 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2010-12-08 5247624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13537280]
"nwiz"="nwiz.exe" [2008-08-01 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-01 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-10 667648]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-17 115560]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-8-27 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Numara Software\\Remote\\Host\\NHSTW32.EXE"=
"c:\\Program Files\\ActiveFax\\Client\\ActFaxClient.exe"=
"c:\\Program Files\\AutoQuotes\\AQNet6.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\PamperedPartnerPlus\\PamperedPartnerPlus.exe"=
"c:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe"=
"c:\\Program Files\\Verizon Wireless\\Firmware Updates\\Novatel\\DUU_Verizon_PC770_FW167.029.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\pbest\\My Documents\\My Pictures\\PDFConverterSetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
.
R1 NHostNT1;Numara Remote Control Driver 1 ver. 9.00 (2007058);c:\windows\system32\drivers\NHOSTNT1.SYS [8/31/2009 10:34 AM 92432]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
R2 NetOp Host for NT Service;Numara Remote Control Helper ver. 9.00 (2007058);c:\program files\Numara Software\Remote\Host\NHOSTSVC.EXE [8/31/2009 10:34 AM 1499408]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/26/2009 1:29 PM 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [8/26/2009 2:38 PM 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/26/2009 2:07 PM 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/26/2011 2:54 PM 102448]
R3 NHOSTNT3;Numara Remote Control Driver 3 ver. 9.00 (2007058) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [8/31/2009 10:34 AM 3216]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2011 2:05 PM 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/8/2010 10:52 AM 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [7/8/2010 10:52 AM 176384]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [8/27/2009 4:18 PM 58240]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/13/2008 7:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 18:05]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-07 18:05]
.
2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{98A4784B-8987-48D1-A068-C8576F85AB4D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{9B5CEC4A-EEAE-4576-86B6-04AA510AA859}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 10.201.1.2:80
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
HKCU-Run-C:!Documents and Settings!pbest!Local Settings!Application Data!Google!Chrome!User Data_service_run - c:\documents and settings\pbest\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
SafeBoot-Symantec Antvirus
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-3282912111.www.aq360.com - c:\program files\Microsoft Silverlight\4.0.60129.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 12:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1796)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(4664)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Numara Software\Remote\Host\NHSTW32.EXE
c:\program files\Numara Software\Remote\Host\nldrw32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\IDT\WDM\sttray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\progra~1\WI371A~1\Datamngr\DATAMN~1.EXE
.
**************************************************************************
.
Completion time: 2011-04-21 12:15:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-21 16:15
.
Pre-Run: 42,391,773,184 bytes free
Post-Run: 42,338,816,000 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C0D6B6C96EE93B0BF4B28CBDCC6C51E0
 
After looking at the Combofix log, it is evident that this is a work system. While I am glad to assist members who may also use their system as part of their work, I don't attempt to replace the IT for the office:

The IT dept, told me it was removed, but it's still acting weird.

There is a great deal of software on this system pointing directly to a work-relate environment. Programs like:
c:\program files\PamperedPartnerPlus>> (pampered chef consultant software)
c:\program files\Numara Software\Remote\Host\NHSTW32.EXE
c:\program files\Numara Software\Remote\Host\nldrw32.exe

A log on of this:
- - - - - - - > 'winlogon.exe'(1796)
c:\windows\system32\netprovcredman.dll> Network Provider Credentials Manager

You do have Best Malware Protection on the system which is a rogue anti-spyware program from the same family as Personal Internet Security 2011. It is hard to believe that Malwarebytes found nothing- but then you did not include the log.

Please bring the system back to the attention of the IT. Tell him/her that some things were missed. If you were given this system to use as an employee, that it where you should go.

If this is to be a personal computer for you, I would recommend doing a reformat/reinstall and only adding you own personal programs and apps.

Combofix has removed entries- there is also some indication that an infected flash drive was used. If that is the case, you need to disinfect it-and any other movable devices: If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
 
Status
Not open for further replies.
Back