SilencedMatrix
2011-10-06, 18:38
Tuesday we noticed our internet had slowed extremely down and we know we got a trojan. We definitely know we have a google redirect trojan (making anything we search redirect to a random website). And I'm sure there are quite a few. Here is the dds log.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Chris Starkey at 8:54:03 on 2011-10-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.300 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\StudioLine Photo Basic\NMSAccess32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lgbpd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Car-Part Messaging\CPM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\car-part\CPKeySrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Hotlines\WinReceiver.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Hotlines\WinReceiver_Updater.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:59333
uWinlogon: Shell=explorer.exe,
uWindows: Load=c:\docume~1\chriss~1\LOCALS~1
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {9da438a8-db0c-4606-9171-40bb5e927ebd} - c:\windows\system32\DNSAPIp.dll
BHO: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A58686ED-FC46-44C3-95C6-4A812AB776F1} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {65742936-8079-408B-9F3C-874B78030A72} - No File
uRun: [LGBLiveUpdate] c:\windows\system32\lgbpd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CPM] "c:\program files\car-part messaging\CPM.EXE"
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [Google Update] "c:\documents and settings\chris starkey\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotlinesSalvage] "c:\program files\westport research\hotlines\salvage.exe"
mRun: BCMSMMSG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [volmgr] %APPDATA%\volmgr.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [conhost] c:\documents and settings\chris starkey\application data\microsoft\conhost.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start
http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNTQwNzU0MTI3LUJBKzEtS1YzKzctVD
EtVUNBTEwrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LUY4TTExQysxLVVQRysyMDExLUZMMTArMS1MSUMrOS1DSVArMg"&"prod=90"&"ver=10.0.1204
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [poJSJfghGjFLx.exe] c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\pwsche32.lnk - c:\program files\symantec\procomm plus\programs\PWSCHE32.EXE
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\shortc~1.lnk - c:\hotlines\WinReceiver.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\car-pa~1.lnk - c:\car-part\CPKeySrv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upsonl~1.lnk - c:\ups\uows\PldReminder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{7C4F631A-BD87-4E7E-B4C6-B1E41E7CB2A4} : NameServer = 170.215.184.3,74.40.37.242
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 95.64.61.131 www.google.com (http://www.google.com)
Hosts: 95.64.61.132 www.bing.com (http://www.bing.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris starkey\application data\mozilla\firefox\profiles\g9b5rfo5.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://rascotruckparts.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d52b922&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59333
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\chris starkey\application
data\mozilla\firefox\profiles\g9b5rfo5.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\chris starkey\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\chris starkey\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 ardvimpz;ardvimpz;c:\windows\system32\drivers\qkkvyuvb.dat --> c:\windows\system32\drivers\qkkvyuvb.dat [?]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-24 201320]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-18 14336]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 2025336]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe /servicestart --> c:\program
files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-3-24 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-3-24 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-3-24 33832]
.
=============== Created Last 30 ================
.
2011-10-05 14:36:43 182272 ----a-w- c:\documents and settings\chris starkey\application data\conhost.exe
2011-10-05 14:36:15 186880 ----a-w- c:\windows\system32\lvvm.exe
2011-10-05 14:35:48 177664 ----a-w- c:\documents and settings\chris starkey\application data\microsoft\csrss.exe
2011-10-05 12:32:16 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\updates\mpengine.dll
2011-10-04 19:47:53 182272 ----a-w- c:\documents and settings\chris starkey\application data\dwm.exe
2011-10-03 14:53:41 -------- d-----w- c:\windows\$BLSTUN$
2011-10-03 14:53:22 505856 ----a-w- c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
2011-10-03 13:41:21 181760 ----a-w- c:\program files\windows nt\dwm.exe
2011-10-03 13:33:19 161280 ----a-w- c:\windows\system32\0.7881175952919637.exe
2011-10-03 13:33:01 179712 ----a-w- c:\program files\internet explorer\conhost.exe
2011-10-03 13:33:01 -------- d-----w- C:\Microsoft
2011-10-03 13:32:29 179712 ----a-w- c:\windows\system32\0.6660133014122138.exe
2011-10-03 13:17:49 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\offreg.dll
2011-10-03 13:17:37 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\mpengine.dll
2011-10-03 13:15:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-03 13:15:39 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2008-04-22 17:40:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
2003-01-06 15:06:44 443576 -c--a-w- c:\program files\JunoSetup.exe
.
============= FINISH: 8:56:10.50 ===============
Appreciate the help!
Hello SilencedMatrix,
"[B]Trojan's on work computer"
Post #5 in the forum sticky (http://forums.spybot.info/showthread.php?t=288]) may have been missed. Please see Personal computers (http://forums.spybot.info/showpost.php?p=25712&postcount=5)
Best regards. :)
Appreciate the response tashi, I have read all of that. By work computer I mean the computer I do my work on, not for a company.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Chris Starkey at 8:54:03 on 2011-10-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.300 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\StudioLine Photo Basic\NMSAccess32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lgbpd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Car-Part Messaging\CPM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\car-part\CPKeySrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Hotlines\WinReceiver.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Hotlines\WinReceiver_Updater.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:59333
uWinlogon: Shell=explorer.exe,
uWindows: Load=c:\docume~1\chriss~1\LOCALS~1
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {9da438a8-db0c-4606-9171-40bb5e927ebd} - c:\windows\system32\DNSAPIp.dll
BHO: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A58686ED-FC46-44C3-95C6-4A812AB776F1} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {65742936-8079-408B-9F3C-874B78030A72} - No File
uRun: [LGBLiveUpdate] c:\windows\system32\lgbpd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CPM] "c:\program files\car-part messaging\CPM.EXE"
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [Google Update] "c:\documents and settings\chris starkey\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotlinesSalvage] "c:\program files\westport research\hotlines\salvage.exe"
mRun: BCMSMMSG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [volmgr] %APPDATA%\volmgr.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [conhost] c:\documents and settings\chris starkey\application data\microsoft\conhost.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start
http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNTQwNzU0MTI3LUJBKzEtS1YzKzctVD
EtVUNBTEwrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LUY4TTExQysxLVVQRysyMDExLUZMMTArMS1MSUMrOS1DSVArMg"&"prod=90"&"ver=10.0.1204
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [poJSJfghGjFLx.exe] c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\pwsche32.lnk - c:\program files\symantec\procomm plus\programs\PWSCHE32.EXE
StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\shortc~1.lnk - c:\hotlines\WinReceiver.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\car-pa~1.lnk - c:\car-part\CPKeySrv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upsonl~1.lnk - c:\ups\uows\PldReminder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{7C4F631A-BD87-4E7E-B4C6-B1E41E7CB2A4} : NameServer = 170.215.184.3,74.40.37.242
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 95.64.61.131 www.google.com (http://www.google.com)
Hosts: 95.64.61.132 www.bing.com (http://www.bing.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris starkey\application data\mozilla\firefox\profiles\g9b5rfo5.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://rascotruckparts.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d52b922&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59333
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\chris starkey\application
data\mozilla\firefox\profiles\g9b5rfo5.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\chris starkey\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\chris starkey\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 ardvimpz;ardvimpz;c:\windows\system32\drivers\qkkvyuvb.dat --> c:\windows\system32\drivers\qkkvyuvb.dat [?]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-24 201320]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-18 14336]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 2025336]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe /servicestart --> c:\program
files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-3-24 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-3-24 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-3-24 33832]
.
=============== Created Last 30 ================
.
2011-10-05 14:36:43 182272 ----a-w- c:\documents and settings\chris starkey\application data\conhost.exe
2011-10-05 14:36:15 186880 ----a-w- c:\windows\system32\lvvm.exe
2011-10-05 14:35:48 177664 ----a-w- c:\documents and settings\chris starkey\application data\microsoft\csrss.exe
2011-10-05 12:32:16 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\updates\mpengine.dll
2011-10-04 19:47:53 182272 ----a-w- c:\documents and settings\chris starkey\application data\dwm.exe
2011-10-03 14:53:41 -------- d-----w- c:\windows\$BLSTUN$
2011-10-03 14:53:22 505856 ----a-w- c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
2011-10-03 13:41:21 181760 ----a-w- c:\program files\windows nt\dwm.exe
2011-10-03 13:33:19 161280 ----a-w- c:\windows\system32\0.7881175952919637.exe
2011-10-03 13:33:01 179712 ----a-w- c:\program files\internet explorer\conhost.exe
2011-10-03 13:33:01 -------- d-----w- C:\Microsoft
2011-10-03 13:32:29 179712 ----a-w- c:\windows\system32\0.6660133014122138.exe
2011-10-03 13:17:49 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\offreg.dll
2011-10-03 13:17:37 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition
updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\mpengine.dll
2011-10-03 13:15:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-03 13:15:39 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2008-04-22 17:40:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
2003-01-06 15:06:44 443576 -c--a-w- c:\program files\JunoSetup.exe
.
============= FINISH: 8:56:10.50 ===============
Appreciate the help!
Hello SilencedMatrix,
"[B]Trojan's on work computer"
Post #5 in the forum sticky (http://forums.spybot.info/showthread.php?t=288]) may have been missed. Please see Personal computers (http://forums.spybot.info/showpost.php?p=25712&postcount=5)
Best regards. :)
Appreciate the response tashi, I have read all of that. By work computer I mean the computer I do my work on, not for a company.