also @ TechSpot: Tea Party Republicans and 'liberal weenies' alike celebrate Texas email privacy law

Need help; my searches are getting redirected

Discussion in 'Virus and Malware Removal' started by seebo, Jan 2, 2011.

Page 2 of 4

  1. Broni Malware Annihilator Posts: 40,034   +187

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
    Broni, Jan 3, 2011
    #21

  2. seebo Newcomer, in training Posts: 38

    Here you go with the UNHOOKER report:

    RkU Version: 3.8.388.590, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0xB80B7000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6279168 bytes (Intel Corporation, Intel Graphics Miniport Driver)
    0xBF2E8000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
    0xBF058000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2150400 bytes
    0x804D7000 RAW 2150400 bytes
    0x804D7000 WMIxWDM 2150400 bytes
    0xBF800000 Win32k 1863680 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xA229C000 C:\WINDOWS\system32\drivers\sthda.sys 1486848 bytes (IDT, Inc., IDT PC Audio)
    0xB7EDE000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1290240 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
    0xB7D20000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
    0x9BB59000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 897024 bytes
    0xB9E2A000 iaStor.sys 897024 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
    0xB9D3D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xB7E11000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
    0x9BC34000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xB7C32000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0x9BD3F000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0x9B739000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
    0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0x9A425000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xB8065000 C:\WINDOWS\system32\DRIVERS\e1y5132.sys 253952 bytes (Intel Corporation, Intel(R) Gigabit Network Connection NDIS 5.1 deserialized driver)
    0xB7CE8000 C:\WINDOWS\system32\drivers\srs_PremiumSound_i386.sys 229376 bytes (-, SRS Premium Sound driver)
    0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 212992 bytes (Intel Corporation, Intel Graphics 2D Driver)
    0x9BAE7000 C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys 204800 bytes (Wave Systems Corp., WavX Document Manager Filter Driver)
    0xB7C90000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
    0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xB7E8C000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 184320 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
    0x9B999000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xB9D10000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0x9BCA4000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xB8019000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
    0x9B02B000 C:\WINDOWS\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
    0x9BCF1000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xB9F05000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
    0x9BD19000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xA2278000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xB8041000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xB9530000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0x9BCCF000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x806E4000 ACPI_HAL 134528 bytes
    0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xB9E0A000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xA223C000 C:\WINDOWS\system32\drivers\IntcHdmi.sys 131072 bytes (Intel(R) Corporation, Intel(R) High Definition Audio HDMI)
    0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
    0xA225C000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
    0xB9CF6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0x9BACE000 C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS 102400 bytes (Roxio, Drive Letter Access Component)
    0x9BAA1000 C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS 94208 bytes (Roxio, Drive Letter Access Component)
    0xB9DE1000 DRVMCDB.SYS 94208 bytes (Sonic Solutions, Device Driver)
    0xB9DCA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xB7CD1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x9BAB8000 C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS 90112 bytes (Roxio, Drive Letter Access Component)
    0x9BA3C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xB7ECA000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
    0xB80A3000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0x9BD98000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
    0xB9DF8000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xB7CC0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xB7EB9000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
    0x9C04A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0xBA1A8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x9B421000 C:\WINDOWS\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
    0xBA118000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
    0x9C90E000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
    0xA5ADA000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0x9B08B000 C:\WINDOWS\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
    0xBA1B8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0x9F523000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xA5AFA000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xBA128000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
    0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xBA158000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xBA198000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xBA168000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
    0x9C93E000 C:\WINDOWS\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
    0xB8B4B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x9C02A000 C:\WINDOWS\system32\DRIVERS\usbccid.sys 49152 bytes (Microsoft Corporation, USB CCID Driver)
    0x9C03A000 C:\WINDOWS\System32\Drivers\cvusbdrv.sys 45056 bytes (Broadcom Corporation, Broadcom Credential Vault USB Driver)
    0xB86E4000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 45056 bytes (Roxio, Device Driver Manager)
    0x9C8FE000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xBA148000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xBA108000 PBADRV.sys 45056 bytes (Dell Inc, PBA Support Driver)
    0xBA1C8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x9B6A9000 C:\WINDOWS\System32\Drivers\btwusb.sys 40960 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
    0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xA5C30000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xB8B2B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xBA318000 C:\WINDOWS\system32\drivers\bcmwlnpf.sys 36864 bytes (CACE Technologies, npf)
    0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0x9C8AE000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
    0xBA188000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xB8B3B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0x9C91E000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x99393000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
    0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x9C92E000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xA5F4D000 C:\WINDOWS\System32\Drivers\DLABMFSM.SYS 32768 bytes (Roxio, Drive Letter Access Component)
    0x9C20B000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0x9C1F3000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0xBA3D0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xA5F45000 C:\WINDOWS\System32\Drivers\DLABOIOM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
    0x9CDCC000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xBA3B0000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
    0x9C1EB000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
    0xBA350000 C:\WINDOWS\system32\windrvNT.sys 28672 bytes
    0xBA3B8000 C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS 24576 bytes (Roxio, Drive Letter Access Component)
    0x9CDD4000 C:\WINDOWS\System32\Drivers\DLARTL_M.SYS 24576 bytes (Roxio, Shared Driver Component)
    0xBA458000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0xBA3E0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xBA3D8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xBA3C8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x9CDC4000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x9C213000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xBA3A8000 C:\WINDOWS\System32\Drivers\PCASp50.sys 20480 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 SPR Protocol Driver)
    0xBA3F0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xBA3F8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xBA3E8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0x9C1CB000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
    0xB9573000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0x9CA48000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xB9553000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xA0265000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0x9CA50000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
    0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
    0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
    0xB9C91000 C:\WINDOWS\System32\Drivers\DLAPoolM.SYS 12288 bytes (Roxio, Drive Letter Access Component)
    0x9BF7D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0x9CA54000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0x9E19C000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
    0x9BF9D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xB956B000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x9DE77000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xB956F000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x9E490000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xBA5AC000 DLACDBHM.SYS 8192 bytes (Roxio, Shared Driver Component)
    0x9E492000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0x9E48E000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0x9E48C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xBA5E6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xBA640000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xBA764000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xBA69E000 C:\WINDOWS\System32\Drivers\DLADResM.SYS 4096 bytes (Roxio, Drive Letter Access Component)
    0xA2575000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0x9CB74000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xBA670000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
    ==============================================
    >Stealth
    ==============================================
    0x04260000 Hidden Image-->SmithMicro.Message.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 102400 bytes
    0x8AD50BF5 Unknown page with executable code, 1035 bytes
    0x00DA0000 Hidden Image-->SmithMicro.Common.dll [ EPROCESS 0x891FD770 ] PID: 3624, 118784 bytes
    0x055B0000 Hidden Image-->Security Center Overview.dll [ EPROCESS 0x891FD770 ] PID: 3624, 118784 bytes
    0x05570000 Hidden Image-->SmithMicro.Common.dll [ EPROCESS 0x891FD770 ] PID: 3624, 118784 bytes
    0x00EB0000 Hidden Image-->SmithMicro.Common.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 118784 bytes
    0x8AD50A95 Unknown page with executable code, 1387 bytes
    0x8AD4EF5A Unknown page with executable code, 166 bytes
    0x05500000 Hidden Image-->Dell.UCM.Plugin.dll [ EPROCESS 0x891FD770 ] PID: 3624, 225280 bytes
    0x03530000 Hidden Image-->SmithMicro.Application.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 225280 bytes
    0x05040000 Hidden Image-->PrebootManager.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 2617344 bytes
    0x05620000 Hidden Image-->SecurityCenterControls.DLL [ EPROCESS 0x891FD770 ] PID: 3624, 266240 bytes
    0x03430000 Hidden Image-->Dell.DcpPlugin.dll [ EPROCESS 0x891FD770 ] PID: 3624, 28672 bytes
    0x053B0000 Hidden Image-->StatusInterfaces.DLL [ EPROCESS 0x891FD770 ] PID: 3624, 28672 bytes
    0x00C80000 Hidden Image-->StatusInterfaces.DLL [ EPROCESS 0x897EFDA0 ] PID: 2968, 28672 bytes
    0x048C0000 Hidden Image-->Interop.Wavx_PluginManagerLib.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 28672 bytes
    0x8AD4C3CC Unknown page with executable code, 3124 bytes
    0x03D00000 Hidden Image-->Dell.SystemOverview.Plugin.dll [ EPROCESS 0x891FD770 ] PID: 3624, 331776 bytes
    0x8AD4F30A Unknown page with executable code, 3318 bytes
    0x8AD4B28A Unknown page with executable code, 3446 bytes
    0x05370000 Hidden Image-->SecurityDeviceInfoNS.dll [ EPROCESS 0x891FD770 ] PID: 3624, 36864 bytes
    0x05390000 Hidden Image-->SecurityDeviceInfoSetReg.DLL [ EPROCESS 0x891FD770 ] PID: 3624, 36864 bytes
    0x00CB0000 Hidden Image-->Interop.EmbassyStatus.DLL [ EPROCESS 0x897EFDA0 ] PID: 2968, 36864 bytes
    0x04E60000 Hidden Image-->Interop.BiosManager.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 36864 bytes
    0x04FB0000 Hidden Image-->SmithMicro.VpnController.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 36864 bytes
    0x8AD51143 Unknown page with executable code, 3773 bytes
    0x04AE0000 Hidden Image-->System.Management.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 380928 bytes
    0x8AD4EE7B Unknown page with executable code, 389 bytes
    0x03580000 Hidden Image-->Dell.SharedUI.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 3977216 bytes
    0x053D0000 Hidden Image-->Status Lib.DLL [ EPROCESS 0x891FD770 ] PID: 3624, 45056 bytes
    0x00CD0000 Hidden Image-->Status Lib.DLL [ EPROCESS 0x897EFDA0 ] PID: 2968, 45056 bytes
    0x056F0000 Hidden Image-->SmithMicro.AsyncOperations.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 45056 bytes
    0x033C0000 Hidden Image-->msvcm80.dll [ EPROCESS 0x891D0698 ] PID: 464, 507904 bytes
    0x00CE0000 Hidden Image-->msvcm80.dll [ EPROCESS 0x89215DA0 ] PID: 2164, 507904 bytes
    0x03830000 Hidden Image-->msvcm80.dll [ EPROCESS 0x891ED020 ] PID: 2188, 507904 bytes
    0x04B60000 Hidden Image-->msvcm80.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 507904 bytes
    0x054E0000 Hidden Image-->msvcm80.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 507904 bytes
    0x05680000 Hidden Image-->RegistrySettingsLib.DLL [ EPROCESS 0x891FD770 ] PID: 3624, 53248 bytes
    0x00CF0000 Hidden Image-->RegistrySettingsLib.DLL [ EPROCESS 0x897EFDA0 ] PID: 2968, 53248 bytes
    0x052E0000 Hidden Image-->VpnWrapper.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 53248 bytes
    0xBA0C8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
    0x03330000 Hidden Image-->SmithMicro.Controls.dll [ EPROCESS 0x891FD770 ] PID: 3624, 552960 bytes
    0x05B90000 Hidden Image-->SmithMicro.Controls.dll [ EPROCESS 0x891FD770 ] PID: 3624, 552960 bytes
    0x03440000 Hidden Image-->SmithMicro.Controls.dll [ EPROCESS 0x88F63DA0 ] PID: 3200, 552960 bytes
    0x8AD4F53C Unknown thread object [ ETHREAD 0x8A3713B0 ] TID: 156, 600 bytes
    0x8AD5152D Unknown thread object [ ETHREAD 0x8A36F020 ] TID: 160, 600 bytes
    0x8AD4F23F Unknown thread object [ ETHREAD 0x8A36FDA8 ] , 600 bytes
    0x04810000 Hidden Image-->TdmUserInterface.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 626688 bytes
    0x03610000 Hidden Image-->TdmUtilC.dll [ EPROCESS 0x89215DA0 ] PID: 2164, 708608 bytes
    0x04980000 Hidden Image-->TdmUtilC.dll [ EPROCESS 0x897EFDA0 ] PID: 2968, 708608 bytes
    0x032F0000 Hidden Image-->TdmWmiProvider.dll [ EPROCESS 0x891D0698 ] PID: 464, 823296 bytes
    seebo, Jan 3, 2011
    #22

  3. Broni Malware Annihilator Posts: 40,034   +187

    Please download The Avenger by Swandog46 to your Desktop.
    - Right click on the Avenger.zip folder and select Extract All...
    - Follow the prompts and extract the avenger folder to your desktop

    Double click on avenger.exe.
    Click OK in pop-up window.

    Avenger window will open.

    Click on Execute button.
    Click OK in two consecutive pop-up windows.

    Your computer will re-boot now.

    Upon re-boot, Notepad window will open.
    Select all text, copy it, and paste it into next reply.

    NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
    Broni, Jan 3, 2011
    #23

  4. seebo Newcomer, in training Posts: 38

    Here you go... I checked Mozilla, still getting redirects. ~Seebo

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Completed script processing.

    *******************

    Finished! Terminate.
    seebo, Jan 3, 2011
    #24

  5. Broni Malware Annihilator Posts: 40,034   +187

    Go Start>Run ("Start search" in Vista and Win 7), type in:
    cmd
    Click OK (hit Enter in Vista and Win 7).

    At Command Prompt, paste this:
    ipconfig /all>c:\ipconfig_all.txt&notepad c:\ipconfig_all.txt&exit
    Hit Enter.

    Copy and paste what you see in Notepad into a Reply here.
    Broni, Jan 3, 2011
    #25

  6. seebo Newcomer, in training Posts: 38

    Here it is...

    Windows IP Configuration



    Host Name . . . . . . . . . . . . : usp09-smetraux

    Primary Dns Suffix . . . . . . . : jungle.usip.edu

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : jungle.usip.edu

    usip.edu



    Ethernet adapter Wireless Network Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card

    Physical Address. . . . . . . . . : 00-24-2C-A1-27-75

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 192.168.1.4

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.1.1

    DHCP Server . . . . . . . . . . . : 192.168.1.1

    DNS Servers . . . . . . . . . . . : 192.168.1.1

    Lease Obtained. . . . . . . . . . : Monday, January 03, 2011 6:20:22 PM

    Lease Expires . . . . . . . . . . : Tuesday, January 04, 2011 6:20:22 PM



    Ethernet adapter Local Area Connection:



    Media State . . . . . . . . . . . : Media disconnected

    Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection

    Physical Address. . . . . . . . . : 00-24-E8-AF-90-C0
    seebo, Jan 3, 2011
    #26
     

  7. Broni Malware Annihilator Posts: 40,034   +187

    Looks normal....

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\system32\DRIVERS\volsnap.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
    Broni, Jan 3, 2011
    #27

  8. seebo Newcomer, in training Posts: 38

    looks good:

    File name:
    volsnap.sys
    Submission date:
    2011-01-04 00:17:18 (UTC)
    Current status:
    queued queued analysing finished
    Result:
    0/ 43 (0.0%)
    seebo, Jan 3, 2011
    #28

  9. Broni Malware Annihilator Posts: 40,034   +187

    Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
    Broni, Jan 3, 2011
    #29

  10. seebo Newcomer, in training Posts: 38

    Hi Broni,

    Entering day 3 of our little correspondence.

    I tried running the Kaspersky anti-virus scan and got about halfway through downloading their extensive updates when the download aborted. Subsequent download attempts instructed me to go to their product site, which offer a 30-day free trial on their antivirus software, but I haven't downloaded anything there yet.

    So again, I look to you for direction. And again, I thank you for your help sofar.

    Seebo
    seebo, Jan 4, 2011
    #30

  11. Broni Malware Annihilator Posts: 40,034   +187

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop.
    • After that leave what is selected and put a check next to My Computer.
    • Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
    • Then click on Start Scan.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done no log will be produced.
    • Click on the bottom where it says Report to open the report.
    • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
    Broni, Jan 4, 2011
    #31

  12. seebo Newcomer, in training Posts: 38

    Here is the Kaspersky report.

    Browser is still getting redirected.

    Autoscan: completed 4 minutes ago (events: 8, objects: 308272, time: 02:17:11)
    1/4/2011 10:04:49 PM Task started
    1/4/2011 10:07:54 PM Detected: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/a.class
    1/4/2011 10:30:58 PM Detected: Packed.Win32.Krap.hc C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP373\A0082267.exe
    1/4/2011 11:23:47 PM Deleted: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/a.class
    1/4/2011 11:23:47 PM Detected: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/KAVS.class
    1/4/2011 11:23:58 PM Deleted: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\s.metrau\Application Data\Sun\Java\Deployment\cache\6.0\54\14e8f6f6-1e5919db/bpac/KAVS.class
    1/4/2011 11:24:00 PM Deleted: Packed.Win32.Krap.hc C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP373\A0082267.exe
    1/5/2011 12:22:00 AM Task completed
    seebo, Jan 5, 2011
    #32

  13. Broni Malware Annihilator Posts: 40,034   +187

    I assume, both browsers, correct?

    I suspect, our issue lies here:
    I just noticed, that those two entries weren't removed by OTL.

    Let's try couple of things...

    1. Clear your Java Cache

    • Go Start>Control Panel (Classic View)>Java
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - leave BOTH checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

    2. Delete your Combofix file....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Jan 5, 2011
    #33

  14. seebo Newcomer, in training Posts: 38

    Broni,

    Did both of your suggestions. Mozilla and IE are still getting redirected on searches.

    Seebo

    ComboFix 11-01-04.04 - s.metrau 01/05/2011 7:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2900 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\zip.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-05 11:43 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-05 11:40 . 2011-01-05 11:40 16384 c:\windows\Temp\Perflib_Perfdata_624.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-05 11:45 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-05 11:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-05 11:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-05 11:40 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-05 11:45 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 07:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\sccfg.sys 370 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2011-01-05 07:43:43
    ComboFix-quarantined-files.txt 2011-01-05 12:43
    ComboFix2.txt 2011-01-03 03:44

    Pre-Run: 116,843,421,696 bytes free
    Post-Run: 117,512,683,520 bytes free

    - - End Of File - - A40D16B2E0B3248B0475F7E13865A962
    seebo, Jan 5, 2011
    #34

  15. Broni Malware Annihilator Posts: 40,034   +187

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Jan 5, 2011
    #35

  16. seebo Newcomer, in training Posts: 38

    Thanks Broni

    Both browsers are still redirecting.

    Here is the log

    ComboFix 11-01-05.01 - s.metrau 01/05/2011 21:42:22.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2880 [GMT -5:00]
    Running from: c:\documents and settings\s.metrau\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\s.metrau\Desktop\malware stuff\CFScript.txt
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
    .

    2011-01-03 22:35 . 2011-01-03 22:35 574 ----a-w- C:\cleanup.bat
    2011-01-03 20:21 . 2011-01-03 20:21 -------- d-----w- C:\_OTL
    2011-01-03 15:29 . 2011-01-03 15:29 -------- d-----w- c:\documents and settings\s.metrau\Local Settings\Application Data\Temp
    2011-01-02 19:47 . 2011-01-02 19:47 -------- d-----w- c:\program files\Common Files\Java
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-02 19:46 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-26 13:32 . 2010-12-26 13:32 -------- d-----w- c:\program files\iPod
    2010-12-26 13:32 . 2010-12-26 13:34 -------- d-----w- c:\program files\iTunes
    2010-12-15 20:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:43 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-06 00:04 . 2009-08-10 18:33 0 ----a-w- c:\documents and settings\s.metrau\Local Settings\Application Data\WavXMapDrive.bat
    2010-12-20 23:09 . 2009-08-10 17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-08-10 17:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-06-09 00:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-03_03.28.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-06 00:04 . 2011-01-06 00:04 16384 c:\windows\Temp\Perflib_Perfdata_658.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 80480 c:\windows\system32\perfc009.dat
    + 2008-04-25 16:16 . 2011-01-06 00:08 80480 c:\windows\system32\perfc009.dat
    + 2010-02-20 22:04 . 2011-01-04 16:51 55304 c:\windows\system32\mlfcache.dat
    + 2011-01-03 20:29 . 2011-01-06 00:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-02 17:52 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-18 19:51 . 2011-01-06 00:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-06-18 19:51 . 2011-01-03 02:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-06-18 19:51 . 2011-01-06 00:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2011-01-06 00:08 467430 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2011-01-03 03:28 467430 c:\windows\system32\perfh009.dat
    + 2007-07-11 17:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
    - 2007-07-11 17:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
    - 2009-08-10 17:35 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
    + 2009-08-10 17:35 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-06-09 2220032]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-8-10 869376]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-8-10 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Datatel\\UI\\wIntegSM.exe"=
    "c:\\Program Files\\Datatel\\UI\\datatel.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [3/1/2009 6:09 PM 77824]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 10:05 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/8/2009 10:05 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/8/2009 10:05 PM 244368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/8/2009 10:05 PM 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/8/2009 7:26 PM 232744]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
    S3 Normandy;Normandy SR2; [x]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://campus.usip.edu/
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: usip.edu\campus
    FF - ProfilePath - c:\documents and settings\s.metrau\Application Data\Mozilla\Firefox\Profiles\fmzr22gc.default\
    FF - prefs.js: browser.startup.homepage - usp.edu
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 22:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\sccfg.sys 370 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4168)
    c:\windows\system32\WININET.dll
    c:\windows\system32\igfxdo.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\system32\btmmhook.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-01-05 22:35:19
    ComboFix-quarantined-files.txt 2011-01-06 03:34
    ComboFix2.txt 2011-01-05 12:43
    ComboFix3.txt 2011-01-03 03:44

    Pre-Run: 117,209,178,112 bytes free
    Post-Run: 117,453,590,528 bytes free

    - - End Of File - - 10BC147F5F00482ED2097D90D9E29337
    seebo, Jan 5, 2011
    #36

  17. Broni Malware Annihilator Posts: 40,034   +187

    The offending entries are gone.

    Are you at home?

    If so, I still suggest...

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
    Broni, Jan 5, 2011
    #37

  18. seebo Newcomer, in training Posts: 38

    As usual, I followed instructions.

    After resetting the router I went back to Mozilla, and got the same redirect crap. I messed with this for a few minutes. Redirect after redirect.

    Then I went to Explorer and tried a search. All went well. I tried this a few times, and the searches worked fine.

    Then I went back to Mozilla and now the searches there work fine too.

    Curious, but the redirects appear to be gone.

    Anything else?
    seebo, Jan 6, 2011
    #38

  19. seebo Newcomer, in training Posts: 38

    I tried searching again this morning and, unfortunately, its back to the same redirect ****.

    On both browsers. I tried opening and closing both Mozilla and Internet Explorer a few times and on all occasions was redirected in my searching.

    For a little while, at least, it looked as though this was gone.

    Seebo
    seebo, Jan 6, 2011
    #39

  20. Broni Malware Annihilator Posts: 40,034   +187

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Jan 6, 2011
    #40
Page 2 of 4
Topic Status:
Not open for further replies.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.