First of all - thank you for taking the time to read this (and help me) I really appreciate it.
Ok, so this is kind of weird. Firstly, two days ago whenever I would do a search in Yahoo or Google - the search results wouldn't display in the browser window. So, I downloaded ESET and Spybot and let them do their respective "things". So now the results are displayed and work fine in google, but in yahoo all are directed to: hkkp://travelsense-search.com/samson+microphone.html?id=1004 the only that changes is the "whatever" + "whatever" search (ie if I was searching for blue turtles it would read hkkp://travelsense-search.com/blue+turtle.html?id=1004
Here are the DDS and RootRepeal logs - please let me know your thoughts!
DDS (Ver_09-07-30.01) - NTFSx86
Run by Gen12.Works Image at 17:03:18.75 on Wed 09/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.232 [GMT -7:00]
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Downloads\programs\Virus_Spyware\dds.scr
============== Pseudo HJT Report ===============
uInternet Connection Wizard,ShellNext = hxxp://software-files.download.com/sd/tOoBG36mU1Hw97UqaYoSdtruRI8PzZBu9YViWKICVMhmKtl9e9v1Eh9dtoT0_lbXxTFbxIXafr3x9iQBLJ5JlpaevtjWjHmq/software/10865521/10208565/3/Firefox%20Setup%203.0.1.exe?lop=link&ptype=1720&ontid=2356&siteId=4&edId=3&spi=f48eabee7d26e0c26c4409e423bd4b0f&pid=10865521&psid=10208565
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DriverMax]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [UniblueSpeedUpMyPC] c:\program files\uniblue\speedupmypc\Launcher.exe -minimize
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini"
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222121379859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222211329468
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {cafeefac-0016-0000-0015-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: bersk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: schannel.dll, digest.dll
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\gen12~1.wor\applic~1\mozilla\firefox\profiles\2khqmugp.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.enabled - false
FF - component: c:\documents and settings\gen12.works image\application data\mozilla\firefox\profiles\2khqmugp.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\gen12.works image\application data\mozilla\firefox\profiles\2khqmugp.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\gen12.works image\application data\mozilla\firefox\profiles\2khqmugp.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 xwoarh;xwoarh;c:\windows\system32\drivers\xwoarh.sys [2009-8-31 175616]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-9-11 58240]
=============== Created Last 30 ================
2009-09-02 16:42 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 12:51 <DIR> --d----- c:\docume~1\gen12~1.wor\applic~1\ESET
2009-09-02 12:50 <DIR> --d----- c:\windows\LastGood.Tmp
2009-09-02 12:49 <DIR> --d----- c:\program files\ESET
2009-09-02 11:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-02 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-31 19:39 170 a------- c:\windows\system32\conf.xml
2009-08-31 19:36 175,616 a--s---- c:\windows\system32\drivers\xwoarh.sys
2009-08-24 13:17 <DIR> --d----- c:\program files\ltmoh
2009-08-21 20:51 <DIR> --d----- c:\docume~1\gen12~1.wor\applic~1\Malwarebytes
2009-08-21 20:51 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 20:51 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-21 20:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-21 20:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 20:37 <DIR> --d----- c:\documents and settings\gen12.works image\ErrorLogs
2009-08-18 17:13 <DIR> --d----- c:\program files\The Creator by Ad-Sleuth
2009-08-14 13:38 <DIR> --d----- c:\docume~1\gen12~1.wor\applic~1\uniblue
2009-08-14 13:37 <DIR> --d----- c:\program files\Uniblue
2009-08-14 13:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-14 13:15 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 13:14 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 13:14 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 13:14 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 13:14 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 13:14 <DIR> --d----- C:\97e8d6fd06db038e0a9c75d44db2692a
2009-08-14 13:14 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 13:14 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 13:14 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 13:11 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-14 13:06 <DIR> --d-hr-- C:\AHCache
2009-08-10 13:31 100,446 a------- c:\windows\system32\drivers\2120b1eb.sys
2009-08-10 13:31 47,744 a------- c:\windows\system32\drivers\7a09708a.sys
==================== Find3M ====================
2009-09-02 12:58 22,528 a------- c:\windows\system32\drivers\nhcDriver.sys
2009-08-14 13:18 18,704 a------- c:\docume~1\gen12~1.wor\applic~1\GDIPFONTCACHEV1.DAT
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-06-16 11:26 61,224 a------- c:\documents and settings\gen12.works image\GoToAssistDownloadHelper.exe
============= FINISH: 17:03:36.31 ===============
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 17:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================
Drivers
-------------------
Name: 00001718
Image Path: \Driver\00001718
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: 2120b1eb.sys
Image Path: C:\WINDOWS\System32\drivers\2120b1eb.sys
Address: 0xF7A0E000 Size: 54784 File Visible: No Signed: -
Status: -
Name: 7a09708a.sys
Image Path: C:\WINDOWS\System32\drivers\7a09708a.sys
Address: 0xF79FE000 Size: 47744 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA788000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DAE000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA96CF000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\2120b1eb.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\drivers\7a09708a.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\drivers\xwoarh.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85ff0630
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\2120b1eb.sys" at address 0xf7a166ad
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\WinFl32.sys" at address 0xf7bdf3fa
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\2120b1eb.sys" at address 0xf7a14785
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\WinFl32.sys" at address 0xf7bdf6b2
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\2120b1eb.sys" at address 0xf7a14845
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85fefa60
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85fefe80
#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\WinFl32.sys" at address 0xf7bdf93a
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85ff0460
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85ff0280
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85fefc90
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85ff00b0
Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x86c72b40]
Process: System Address: 0x85fee790 Size: 1000
Object: Hidden Code [ETHREAD: 0x859057f0]
Process: System Address: 0x858d7f30 Size: 212
Object: Hidden Code [ETHREAD: 0x8590b020]
Process: System Address: 0x858d4e40 Size: 448
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x858d4840 Size: 856
Object: Hidden Code [Driver: WINDOWS, IRP_MJ_CREATE]
Process: System Address: 0x858d5f00 Size: 260
Object: Hidden Code [Driver: WINDOWS, IRP_MJ_CLOSE]
Process: System Address: 0x858d5f00 Size: 260
Object: Hidden Code [Driver: WINDOWS, IRP_MJ_READ]
Process: System Address: 0x858d5f00 Size: 260
Object: Hidden Code [Driver: WINDOWS, IRP_MJ_WRITE]
Process: System Address: 0x858d5f00 Size: 260
Object: Hidden Code [Driver: 00001718, IRP_MJ_CREATE]
Process: System Address: 0x858d4df0 Size: 42
Object: Hidden Code [Driver: 00001718, IRP_MJ_READ]
Process: System Address: 0x858d4df0 Size: 42
Object: Hidden Code [Driver: 00001718, IRP_MJ_WRITE]
Process: System Address: 0x858d4df0 Size: 42
Hidden Services
-------------------
Service Name: 2120b1eb
Image Path: C:\WINDOWS\System32\drivers\2120b1eb.sys
Service Name: 7a09708a
Image Path: C:\WINDOWS\System32\drivers\7a09708a.sys
==EOF==
Attached Files
Edited by Orange Blossom, 02 September 2009 - 10:37 PM.
Deactivate links. ~ OB