TechSpot

Need help; my searches are getting redirected

Solved
By seebo
Jan 2, 2011
  1. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Here it is...

    Windows IP Configuration



    Host Name . . . . . . . . . . . . : usp09-smetraux

    Primary Dns Suffix . . . . . . . : jungle.usip.edu

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : jungle.usip.edu

    usip.edu



    Ethernet adapter Wireless Network Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card

    Physical Address. . . . . . . . . : 00-24-2C-A1-27-75

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 192.168.1.4

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.1.1

    DHCP Server . . . . . . . . . . . : 192.168.1.1

    DNS Servers . . . . . . . . . . . : 192.168.1.1

    Lease Obtained. . . . . . . . . . : Monday, January 03, 2011 6:20:22 PM

    Lease Expires . . . . . . . . . . : Tuesday, January 04, 2011 6:20:22 PM



    Ethernet adapter Local Area Connection:



    Media State . . . . . . . . . . . : Media disconnected

    Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection

    Physical Address. . . . . . . . . : 00-24-E8-AF-90-C0
     
  2. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Looks normal....

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\system32\DRIVERS\volsnap.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  3. seebo

    seebo TS Rookie Topic Starter Posts: 79

    looks good:

    File name:
    volsnap.sys
    Submission date:
    2011-01-04 00:17:18 (UTC)
    Current status:
    queued queued analysing finished
    Result:
    0/ 43 (0.0%)
     
  4. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  5. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Hi Broni,

    Entering day 3 of our little correspondence.

    I tried running the Kaspersky anti-virus scan and got about halfway through downloading their extensive updates when the download aborted. Subsequent download attempts instructed me to go to their product site, which offer a 30-day free trial on their antivirus software, but I haven't downloaded anything there yet.

    So again, I look to you for direction. And again, I thank you for your help sofar.

    Seebo
     
  6. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop.
    • After that leave what is selected and put a check next to My Computer.
    • Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
    • Then click on Start Scan.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done no log will be produced.
    • Click on the bottom where it says Report to open the report.
    • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
     
  7. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Here is the Kaspersky report.

    Browser is still getting redirected.

    Autoscan: completed 4 minutes ago (events: 8, objects: 308272, time: 02:17:11)
    1/4/2011 10:04:49 PM Task started
    1/4/2011 10:07:54 PM Detected: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/a.class
    1/4/2011 10:30:58 PM Detected: Packed.Win32.Krap.hc C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP373\A0082267.exe
    1/4/2011 11:23:47 PM Deleted: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/a.class
    1/4/2011 11:23:47 PM Detected: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/KAVS.class
    1/4/2011 11:23:58 PM Deleted: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/KAVS.class
    1/4/2011 11:24:00 PM Deleted: Packed.Win32.Krap.hc C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP373\A0082267.exe
    1/5/2011 12:22:00 AM Task completed
     
  8. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    I assume, both browsers, correct?

    I suspect, our issue lies here:
    I just noticed, that those two entries weren't removed by OTL.

    Let's try couple of things...

    1. Clear your Java Cache

    • Go Start>Control Panel (Classic View)>Java
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - leave BOTH checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

    2. Delete your Combofix file....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Broni,

    Did both of your suggestions. Mozilla and IE are still getting redirected on searches.

    Seebo

    ComboFix 11-01-04.04 - s.metrau 01/05/2011 7:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2900 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\zip.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-05 11:43 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-05 11:40 . 2011-01-05 11:40 16384 c:\windows\Temp\Perflib_Perfdata_624.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-05 11:45 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-05 11:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-05 11:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-05 11:40 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-05 11:45 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 07:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\sccfg.sys 370 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2011-01-05 07:43:43
    ComboFix-quarantined-files.txt 2011-01-05 12:43
    ComboFix2.txt 2011-01-03 03:44

    Pre-Run: 116,843,421,696 bytes free
    Post-Run: 117,512,683,520 bytes free

    - - End Of File - - A40D16B2E0B3248B0475F7E13865A962
     
  10. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uInternet Settings,ProxyOverride = <local>
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Thanks Broni

    Both browsers are still redirecting.

    Here is the log

    ComboFix 11-01-05.01 - s.metrau 01/05/2011 21:42:22.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2880 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\s.metrau\Desktop\malware stuff\CFScript.txt
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-06 00:04 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-06 00:04 . 2011-01-06 00:04 16384 c:\windows\Temp\Perflib_Perfdata_658.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-06 00:08 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-06 00:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-06 00:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-06 00:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-06 00:08 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 22:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\sccfg.sys 370 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4168)
    c:\windows\system32\WININET.dll
    c:\windows\system32\igfxdo.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\system32\btmmhook.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-01-05 22:35:19
    ComboFix-quarantined-files.txt 2011-01-06 03:34
    ComboFix2.txt 2011-01-05 12:43
    ComboFix3.txt 2011-01-03 03:44

    Pre-Run: 117,209,178,112 bytes free
    Post-Run: 117,453,590,528 bytes free

    - - End Of File - - 10BC147F5F00482ED2097D90D9E29337
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    The offending entries are gone.

    Are you at home?

    If so, I still suggest...

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
     
  13. seebo

    seebo TS Rookie Topic Starter Posts: 79

    As usual, I followed instructions.

    After resetting the router I went back to Mozilla, and got the same redirect crap. I messed with this for a few minutes. Redirect after redirect.

    Then I went to Explorer and tried a search. All went well. I tried this a few times, and the searches worked fine.

    Then I went back to Mozilla and now the searches there work fine too.

    Curious, but the redirects appear to be gone.

    Anything else?
     
  14. seebo

    seebo TS Rookie Topic Starter Posts: 79

    I tried searching again this morning and, unfortunately, its back to the same redirect ****.

    On both browsers. I tried opening and closing both Mozilla and Internet Explorer a few times and on all occasions was redirected in my searching.

    For a little while, at least, it looked as though this was gone.

    Seebo
     
  15. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  16. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Broni,

    Had a bit more difficulty getting COMBOFIX to run. Had to try several times before it ran all the way through.

    Computer is acting a bit screwier. Specifically, I'm regularly (every 10-15 minutes) getting messages that Internet Explorer had to shut down, even though I have not been running IE.

    Anyway, here is the log:

    ComboFix 11-01-06.06 - s.metrau 01/07/2011 9:46.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2911 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 14:35 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-07 14:34 . 2011-01-07 14:34 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-07 14:39 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-07 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-07 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-07 14:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-07 14:39 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.search.selectedEngine - Answers.com
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-07 10:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2868)
    c:\windows\system32\WININET.dll
    c:\windows\system32\igfxdo.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\system32\btmmhook.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-01-07 10:29:28
    ComboFix-quarantined-files.txt 2011-01-07 15:29
    ComboFix2.txt 2011-01-05 12:43
    ComboFix3.txt 2011-01-03 03:44

    Pre-Run: 117,042,147,328 bytes free
    Post-Run: 117,409,689,600 bytes free

    - - End Of File - - 9CC3E4B61BDF550CB8779CBAF8829C74
     
  17. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Please download SystemScan and save it to your desktop.

    • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
    • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
    • Double-click on sys*****.exe to start the tool.
    • A read before proceeding disclaimer will appear.
    • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
    • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
    • When SystemScan opens, click the "Unselect all" button.
    • Important: Under "Make your choice and than click...", check the boxes next to:
      • PC accounts
    • Everything else should be unchecked.
    • Click "Scan Now".
    • Another warning box will appear. Please follow the instructions and click OK.
    • Please be patient while the scan is in progress.
    • Systemscan will scan your computer and create a folder named Suspectfile on the Desktop to save its report.
    • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
    • Copy and paste the contents of report.txt in your next reply.
     
  18. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Here you go, Broni. Scan was very quick. ~S

    SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

    Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
    System directory: C:\WINDOWS
    SystemScan file: C:\Documents and Settings\s.metrau\Desktop\sys79599.exe
    Running in: User mode
    Date: 1/8/2011
    Time: 9:44:41 AM

    Output limited to:
    -PC accounts

    ===================== ACCOUNTS ON THIS PC =====================


    Users on this computer:
    Is Admin? | Username
    ------------------
    Yes | Administrator
    | Guest (Disabled)
    | HelpAssistant (Disabled)
    | SUPPORT_388945a0 (Disabled)
    | USP

    ### users folders

    25/04/2008 16:32:31 (DIR) 0 byte 988 days old -- LocalService
    18/06/2009 14:52:31 (DIR) 0 byte 569 days old -- Default User
    18/06/2009 14:52:43 (DIR) 0 byte 569 days old -- USP
    08/06/2009 19:31:58 (DIR) 0 byte 579 days old -- Administrator
    10/11/2010 16:26:59 (DIR) 0 byte 59 days old -- All Users
    05/01/2011 00:33:29 (DIR) 0 byte 3 days old -- s.metrau
    07/01/2011 15:58:00 (DIR) 0 byte 1 days old -- NetworkService

    ### startup files in users folders

    C:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\s.metrau\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\USP\Start Menu\Programs\Startup\desktop.ini

    ==========================================
    Scan completed in 0.1 minutes
    End of report


    ~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
    SystemScan uses some freeware tools that remain property of their authors:

    * SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
    * dumphive (Markus Stephany)--> "Registry scan"
    * Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
    * Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
    ---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

    Thanks to all of them for their hard work
     
  19. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Download and save HelpAsst_mebroot_fix.exe to your desktop.
    • Close all open programs.
    • Double click HelpAsst_mebroot_fix.exe to run it.
    • Pay attention to the running tool.
    • If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
    • After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    IMPORTANT!
    If the tool does NOT detect any mbr infection and completes, proceed with the following...

    • Click Start>Run and copy and paste the following command, then hit Enter:

      • mbr -f
    • Repeat the above step one more time
    • Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
    • Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
     
  20. seebo

    seebo TS Rookie Topic Starter Posts: 79

    C:\Documents and Settings\s.metrau\Desktop\HelpAsst_mebroot_fix.exe
    Sun 01/09/2011 at 13:16:15.64

    HelpAssistant account Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found

    ~~ Checking firewall ports ~~


    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Sun 01/09/2011 at 13:39:06.57

    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3841EB]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\iaStor -> 0x8a3841eb
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    Use "Recovery Console" command "fixmbr" to clear infection !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
     
  21. seebo

    seebo TS Rookie Topic Starter Posts: 79

    oh, and both browsers are still redirecting searches.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, check for redirections.

    **Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
     
  23. seebo

    seebo TS Rookie Topic Starter Posts: 79

    Hi Broni,

    As per instructions, I'm letting you know this is a Dell computer (Latitude E6400).

    Seebo
     
  24. Broni

    Broni Malware Annihilator Posts: 47,995   +271

  25. seebo

    seebo TS Rookie Topic Starter Posts: 79

    None of this seems to be working as planned.

    The directions aren't clear if I should keep the Dell MDR utility as a backup or to use this instead of the NTBR.

    So I reboot the computer trying the NTBR and get an error message "Can't open CD driver CDRCACH shsucdx can't install. ERROR: Failure loading; unable to find CD-ROM drive!

    I try rebooting with the Dell MDR and, as per instructions, says to type in "cd \MD2" after booting with the CD. However the computer won't read an \MD2 directory, even though its there when I read the contents of the CD (using another computer).

    I tried burning both cds twice, and I can't get anything to work here.

    Any insights as to what may be happening, as we don't seem to be making much progress.

    Thanks,

    Seebo
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.