Browser Hijack - LAN wide

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Browser Hijack - LAN wide The browsers on all my computers have been hijacked

#1 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 17 August 2010 - 10:29 PM

I had Antimalware Doctor on my desktop, I got rid of it, but since then all the computers (including my Mac) that are part of my LAN have had their browswers hijacked. What this means is, when I run a search, say with google, and I get a list of hits, when I click on one of the links, my browser gets redirected to some crazy page like "Video Cop", it even says in the address bar as it is loading something to this effect "google.redirect5.com" or something like that. It comes and goes too, sometimes everthing works fine , other times browsing is a nightmare.

here is the dds log and i've attached the other two logs. Thanks for your help, this is really driving me crazy, I have used every malware removal tool, system scanner etc. that I could find. I even downloaded ViRobot and installed that on all my machines after i uninstalled the McAffees. I'm running Microsoft's Security Essentials too, and lavasoft's "adaware" .

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 19:53:10.55 on Tue 08/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1458 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe
C:\Program Files\Hauri\Common\hsvcmod.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Hauri\Common\Base\vrscan.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\vrptsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe
C:\Program Files\Hauri\Common\Base\vrmonsvc.exe
C:\Program Files\Hauri\Common\Base\vrmonnt.exe
C:\Program Files\Hauri\Common\Base\vrrepair.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: IEHelpObj Class: {ec45e3fe-c16d-4f24-9238-d1b49ad74815} - c:\program files\hauri\virobot desktop 5.5\service\hWebMan.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [DMAScheduler] c:\program files\sonic\digitalmedia plus\digitalmedia archive\DMAScheduler.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Vrmon] c:\program files\hauri\common\base\VRMONNT.EXE
mRun: [HEProtect] c:\program files\hauri\virobot desktop 5.5\antispam\HSockPE.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279769830550
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\h4oc3sk8.default\
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-26 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 vrptcomn;vrptcomn;c:\windows\system32\drivers\vrptcomn.sys [2010-8-6 91760]
R2 hpcsvc;ViRobot Communication Service;c:\program files\hauri\virobot desktop 5.5\hpcsvc.exe [2010-8-6 513616]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\hauri\common\base\vrscan.exe [2010-8-6 176128]
R2 vrptself;vrptself;c:\program files\hauri\virobot desktop 5.5\accesscontrol\vrptself.sys [2010-8-6 329072]
R2 vrptsvc;Hauri Self Protect Service;c:\program files\hauri\virobot desktop 5.5\accesscontrol\vrptsvc.exe [2010-8-6 247152]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2010-8-6 84736]
R3 vrrepair;ViRobot Repairing Service;c:\program files\hauri\common\base\vrrepair.exe [2010-8-6 502368]
R3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2010-8-6 21016]
S3 VrAdUtil;VrAdUtil;c:\program files\hauri\common\base\VrAdUtil.sys [2010-8-6 79480]

=============== Created Last 30 ================

2010-08-18 02:52:21 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-08-17 02:54:20 0 d-----w- C:\getservices
2010-08-17 02:53:36 130337 ----a-w- C:\getservices.zip
2010-08-14 04:36:40 0 d-----w- c:\program files\common files\Control Panels
2010-08-14 01:41:35 0 d-----w- c:\program files\Microsoft
2010-08-14 01:41:20 0 d-----w- c:\program files\Windows Live SkyDrive
2010-08-14 01:13:37 0 d-----w- c:\program files\common files\Windows Live
2010-08-08 00:18:59 70628 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-07 21:29:18 0 d-----w- c:\program files\Trend Micro
2010-08-07 02:30:45 0 d-----w- c:\docume~1\hp_adm~1\applic~1\HAURI
2010-08-07 01:24:08 91760 ----a-w- c:\windows\system32\drivers\vrptcomn.sys
2010-08-07 01:09:24 46576 ------w- c:\windows\system32\drivers\vracfil.sys
2010-08-07 01:09:23 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
2010-08-07 01:09:21 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
2010-08-07 01:09:17 117232 ----a-w- c:\windows\system32\drivers\vradfil.sys
2010-08-07 01:09:04 403051 ------w- c:\windows\system32\drivers\virobot.vib
2010-08-07 01:08:11 0 d-----w- c:\program files\Hauri
2010-08-06 01:47:24 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-06 01:43:34 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-04 02:44:00 0 d-----w- c:\windows\SHELLNEW
2010-08-04 01:37:24 3244 ----a-w- c:\windows\system32\wbem\Outlook_01cb337596be55bc.mof
2010-07-30 02:08:50 0 d-----w- c:\program files\MSECache
2010-07-27 12:38:26 0 d-----w- c:\windows\system32\scripting
2010-07-27 12:38:26 0 d-----w- c:\windows\l2schemas
2010-07-27 12:38:25 0 d-----w- c:\windows\system32\en
2010-07-27 12:38:25 0 d-----w- c:\windows\system32\bits
2010-07-27 12:35:44 0 d-----w- c:\windows\network diagnostic
2010-07-27 04:19:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-27 01:36:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-27 01:36:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-27 01:12:38 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-27 01:12:25 0 d-----w- c:\program files\Lavasoft
2010-07-26 02:27:07 0 d-sh--w- c:\documents and settings\hp_administrator\IECompatCache
2010-07-26 02:02:22 0 d-sh--w- c:\documents and settings\hp_administrator\PrivacIE
2010-07-26 02:00:54 0 d-sh--w- c:\documents and settings\hp_administrator\IETldCache
2010-07-26 01:25:10 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-26 01:25:10 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-26 01:25:10 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-26 01:25:10 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-26 01:25:10 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-26 01:25:10 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-26 01:25:09 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-26 01:25:04 0 d-----w- c:\windows\ie8updates
2010-07-26 01:24:58 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-07-26 01:24:14 0 dc-h--w- c:\windows\ie8
2010-07-25 04:01:25 1652688 ----a-w- c:\windows\PCTBDCore.dll.old
2010-07-25 03:58:30 0 d-----w- c:\program files\Spyware Doctor
2010-07-24 23:22:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-24 23:22:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-07-24 23:22:12 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-24 22:52:49 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-07-24 22:52:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 22:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-24 22:52:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 22:52:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 10:26:08 0 d-----w- c:\windows\system32\LogFiles
2010-07-24 02:08:10 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Seraline
2010-07-24 02:07:58 1560576 ----a-w- c:\windows\system32\Seractal4.scr
2010-07-24 02:07:58 0 d-----w- c:\program files\Seraline
2010-07-23 02:49:00 93 ----a-w- c:\windows\brpcfx.ini
2010-07-23 02:49:00 244 ----a-w- c:\windows\Brpfx04a.ini
2010-07-23 02:47:57 5120 ------w- c:\windows\system32\BrDctF2L.dll
2010-07-23 02:47:57 176128 ------w- c:\windows\system32\BroSNMP.dll
2010-07-23 02:47:56 73728 ------w- c:\windows\system32\BrDctF2.dll
2010-07-23 02:47:56 3072 ------w- c:\windows\system32\BrDctF2S.dll
2010-07-23 02:47:55 1522176 ----a-w- c:\windows\system32\BrWia08a.dll
2010-07-23 02:47:51 167936 ------w- c:\windows\system32\NSSearch.dll
2010-07-23 02:47:45 0 d-----w- c:\program files\Brother
2010-07-23 02:44:12 0 d-----w- c:\program files\Nuance
2010-07-23 02:43:51 31567 ----a-w- c:\windows\maxlink.ini
2010-07-23 02:43:14 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-07-23 02:43:01 0 d-----w- c:\program files\ScanSoft
2010-07-23 02:41:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother
2010-07-23 02:18:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2010-07-23 02:05:58 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2010-07-23 02:05:58 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2010-07-23 02:00:02 0 d-----w- c:\program files\Bonjour
2010-07-23 01:53:57 0 d-----w- c:\program files\common files\Macrovision Shared
2010-07-23 01:35:44 0 d-----w- c:\windows\system32\appmgmt
2010-07-23 01:14:09 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-23 01:14:09 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-23 01:01:47 0 d-----w- c:\program files\MSXML 4.0
2010-07-22 14:22:03 0 d-----w- c:\windows\ServicePackFiles
2010-07-22 14:16:59 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-07-22 14:14:52 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-07-22 13:58:02 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-07-22 13:58:01 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-22 13:56:58 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-07-22 13:54:54 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-07-22 13:51:16 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-07-22 13:50:15 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-22 13:50:14 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-07-22 13:45:02 0 d-----w- c:\windows\system32\PreInstall
2010-07-22 04:21:54 183 ----a-w- c:\windows\system\hpsysdrv.DAT
2010-07-22 04:20:54 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-22 04:20:53 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-22 04:20:50 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-07-22 04:20:46 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-07-22 04:20:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-22 03:35:26 0 d-s---w- c:\documents and settings\hp_administrator\UserData
2010-07-22 03:34:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-22 03:34:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 03:32:39 0 d-sh--w- C:\cmdcons
2010-07-22 03:32:38 0 d-----w- c:\windows\setup.pss
2010-07-22 03:32:29 0 d-----w- c:\windows\setupupd
2010-07-22 03:30:22 1904 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ER891AA-ABA A1412N_YC_0Pavi_QMXR611_E62NAemMPA1_48_IEMERY_SASUSTek Computer INC._V1.05_B3.18_T061110_WXP2_L409_M2559_J200_7Intel_8Pentium D_92.8_#100722_N808627DC_Z11C1048C_G10DE0162.MRK
2010-07-22 03:25:44 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Intuit
2010-07-22 03:23:04 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-22 03:03:44 0 d-----r- c:\documents and settings\all users\Documents
2010-07-22 03:01:56 0 d-----r- c:\windows\Offline Web Pages
2010-07-22 02:58:46 0 d-sh--r- c:\windows\system32\dllcache

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2007-03-03 00:11:00 32 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 19:53:52.63 ===============

Attached File(s)

ark.log (12.66K)
Number of downloads: 6
Attach.txt (18.96K)
Number of downloads: 5

#2 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 25 August 2010 - 05:08 AM

Hello ,
And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

Double-click on RKUnhookerLE to run it
Click the Report tab, then click Scan
Check Drivers, Stealth and uncheck the rest
Click OK
Wait until it's finished and then go to File > Save Report
Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
A detailed description of your problems
A new OTL log (don't forget extra.txt)
RKU log

Thanks and again sorry for the delay.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 30 August 2010 - 07:49 AM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#4 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 02 September 2010 - 09:02 AM

Topic reopened as requested.

Can you please let me know what steps you have already done and post me the requested logs?

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 02 September 2010 - 12:17 PM

Which logs are you refering to? The ones from the malware removal start page? I'll have to run them again since I have made other changes since the first time I ran them. Should we start with just one computer at a time?

#6 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 02 September 2010 - 01:33 PM

Yes, we cannot work with logs from multiple computers since that will confuse things. Just follow the steps from my first post.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#7 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 02 September 2010 - 02:57 PM

Sorry Elise, I must be missing something becasue I don't see any instuctions in your first message to me.

#8 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 02 September 2010 - 04:11 PM

Scroll up this thread, or simple click here

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#9 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 02 September 2010 - 09:43 PM

Okay, here goes--
this is the rootkit report

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xAAD2A000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4259840 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3928064 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 81.94 )
0xB93EA000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3534848 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.94 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB927E000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1097728 bytes (Agere Systems, SoftModem Device Driver)
0xA4780000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 876544 bytes
0xB9E4D000 iaStor.sys 876544 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xB9D04000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAAB2A000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9143000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAAC57000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA33AF000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xA2FC8000 C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\vrptself.sys 323584 bytes (Hauri, Inc, Virobot Self Protection driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9DF2000 ftsata2.sys 274432 bytes (Promise Technology, Inc., Promise Driver for Windows Server 2003)
0xA342E000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB91C9000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA364F000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9CD7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9F53D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAAB9A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB93AE000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAAC2F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB9235000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xAAC09000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA4856000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xAAD06000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB938A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB925B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAACE3000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xAABE7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAABC5000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9DBA000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9CBD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E35000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9DDA000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9D91000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB920A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA1D96000 C:\WINDOWS\system32\drivers\VRADFIL.SYS 90112 bytes (Hauri, Inc., VR Filter for Windows NT/2K/XP/Vista/Win7)
0xA2A10000 C:\WINDOWS\System32\Drivers\VRFWNTD5.SYS 86016 bytes (Hauri Corporation, NDIS Hooking Driver for Windows 2000 above)
0xA37BA000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9221000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB93D6000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAACB0000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9DA8000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB91F9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA218000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB9799000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xAF623000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xB09AC000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB9789000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB4C2C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB099C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB9779000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB9759000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xAF643000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB97A9000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB9769000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA168000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA118000 bb-run.sys 36864 bytes (Promise Technology, Inc., Promise Disk Accelerator)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA5A22000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB97B9000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB9749000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xAF653000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA1237000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xAF633000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA400000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB3B1F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB3B47000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB3B37000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA621D000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3D8000 C:\WINDOWS\system32\drivers\vracfil.sys 28672 bytes (Hauri, Inc., VRAC Filter for Windows NT/2K/XP/Vista/Win7)
0xBA420000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xAC62F000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB3B2F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB3B27000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA410000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA338000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA418000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA56B3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA292C000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xA667C000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9365000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA2E5C000 C:\WINDOWS\system32\drivers\VRsecos.sys 16384 bytes (HAURI, VRsecos for Windows NT/2K/XP)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA626D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9B0C000 C:\WINDOWS\System32\DRIVERS\ELhid.sys 12288 bytes (Intel Corporation, -)
0xA6B85000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA6684000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9AE8000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA5A4000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9C89000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xB3D7D000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5F2000 C:\WINDOWS\system32\DRIVERS\ELacpi.sys 8192 bytes (Intel Corporation, -)
0xB3D73000 C:\WINDOWS\System32\DRIVERS\ELkbd.sys 8192 bytes (Intel Corporation, -)
0xB3D75000 C:\WINDOWS\System32\DRIVERS\ELmon.sys 8192 bytes (Intel Corporation, -)
0xB3D77000 C:\WINDOWS\System32\DRIVERS\ELmou.sys 8192 bytes (Intel Corporation, -)
0xB3D7F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AE000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB3D7B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB3D79000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5F4000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xBA5F6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5C2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AC000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6BD000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6FC000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA737000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Nothing detected

Attached File(s)

Extras.Txt (63.09K)
Number of downloads: 6
OTL.Txt (89.38K)
Number of downloads: 5

#10 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 03 September 2010 - 05:15 AM

Its actually a good thing if nothing shows up in a rootkit scan.

Please post me also the combofix log. It can be found at c:\log.txt

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#11 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 03 September 2010 - 08:26 AM

here ya go!

Attached File(s)

combofixlog.txt (27.25K)
Number of downloads: 3

#12 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 03 September 2010 - 09:29 AM

I see no active malware in your logs, nor did Combofix find anything significant.

Please let me know how you proceeded with the router reset. I'm almost sure your router is the culprit here, so lets concentrate on that first.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#13 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 03 September 2010 - 12:07 PM

I followed the instructions sent to me by Belkin when I reported this problem to them. I too felt that it had to be the router since when my oldest boy came over to visit he used my wifi and had the hijack problem, then when he went home and used his dad's wifi, the problem was gone. Anyway from what I recall they had me use a paperclip to reset the hardware, then when the router was back online, they had me login to the router control panel and clone the mac address. I think that was it, but let me get back to you again after I dig up their email.

#14 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,075
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 03 September 2010 - 12:14 PM

Okay, please let me know if you still have the instructions and if you can try doing it again.

After that, post back and let me know if you see any difference.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#15 arizonaredhead

Member

Group: Members
Posts: 33
Joined: 17-July 10

Posted 03 September 2010 - 09:24 PM

Okay, I reset the router hardware, cloned the WAN/MAC address and applied the changes. Then since a new WEP key had been generated I had to go around and reconfigure the wireless devices. Anyway, it did not work. All my machines are still getting redirected to strange places like "cafemom" and "videocop". Sometimes when I click on a link I get the "cannot display webpage error" or on my son's it says "http 404 not found". This is ridiculus, I am getting really frustrated and I have a 2000 word paper on Criminal Justice I have to write this weekend, so I need to get some work done on that.

Tracy