Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine results redirected


  • This topic is locked This topic is locked
6 replies to this topic

#1 rjp78

rjp78

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 08 February 2010 - 05:00 PM

When using a search engine (ie. Google, Bing, etc.) and clicking on a result, I am redirected to an unrelated site. For example, a search of 'super bowl' on Google hxxp://www.google.com/search?source=ig&hl=en&rlz=&q=super+bowl&aq=f&aqi=g10&oq= yielded the following link:
www.superbowl.com/
However, when left clicked, I am directed to:
hxxp://www.clickonthisnow.net/search-results.aspx?keywords=bowl+super

The address changes if I navigate back and retry the link. Now, if I open the link to a new tab in IE or copy and paste the address , I have no issues.
I've downloaded Malwarebytes to a clean, uninfected computer, renamed it to a random file name, and saved it to thumb drive. After installing, updating, and running Malwarebytes on the infected computer, the problem persists.
I am unable to run the DDS scan; however, I have attached a HijackThis log and the GMER log is as follows:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-08 15:28:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\rjp\LOCALS~1\Temp\pxtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A4B8856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}
Reg HKLM\SOFTWARE\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}@Q3FBLH6RIF6MYMN6VD31LVQSMD1 0x01 0x00 0x00 0x00 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Orange Blossom, 08 February 2010 - 09:29 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 09 February 2010 - 10:26 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 rjp78

rjp78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 09 February 2010 - 11:49 AM

Thank you for the quick assistance. I've run TDSSKILLER and ComboFix as requested. I've also ran a search via Google, and lo and behold, the links actually work worked without the previous redirection problem. The ComboFix log is as follows:

ComboFix 10-02-08.09 - rjp 02/09/2010 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.583 [GMT -6:00]
Running from: c:\documents and settings\rjp\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\MiniBugTransporter.dll
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\patch.exe
c:\windows\system32\_005463_.tmp.dll
c:\windows\system32\_005464_.tmp.dll
c:\windows\system32\_005465_.tmp.dll
c:\windows\system32\_005466_.tmp.dll
c:\windows\system32\_005473_.tmp.dll
c:\windows\system32\_005474_.tmp.dll
c:\windows\system32\_005475_.tmp.dll
c:\windows\system32\_005477_.tmp.dll
c:\windows\system32\_005478_.tmp.dll
c:\windows\system32\_005481_.tmp.dll
c:\windows\system32\_005482_.tmp.dll
c:\windows\system32\_005484_.tmp.dll
c:\windows\system32\_005485_.tmp.dll
c:\windows\system32\_005486_.tmp.dll
c:\windows\system32\_005488_.tmp.dll
c:\windows\system32\_005489_.tmp.dll
c:\windows\system32\_005491_.tmp.dll
c:\windows\system32\_005492_.tmp.dll
c:\windows\system32\_005494_.tmp.dll
c:\windows\system32\_005496_.tmp.dll
c:\windows\system32\_005497_.tmp.dll
c:\windows\system32\_005499_.tmp.dll
c:\windows\system32\_005501_.tmp.dll
c:\windows\system32\_005502_.tmp.dll
c:\windows\system32\_005504_.tmp.dll
c:\windows\system32\_005506_.tmp.dll
c:\windows\system32\_005507_.tmp.dll
c:\windows\system32\_005510_.tmp.dll
c:\windows\system32\_005511_.tmp.dll
c:\windows\system32\_005512_.tmp.dll
c:\windows\system32\_005513_.tmp.dll
c:\windows\system32\_005514_.tmp.dll
c:\windows\system32\_005519_.tmp.dll
c:\windows\system32\_005521_.tmp.dll
c:\windows\system32\_005522_.tmp.dll
c:\windows\system32\_007897_.tmp.dll
c:\windows\system32\_007898_.tmp.dll
c:\windows\system32\_007899_.tmp.dll
c:\windows\system32\_007900_.tmp.dll
c:\windows\system32\_007907_.tmp.dll
c:\windows\system32\_007908_.tmp.dll
c:\windows\system32\_007909_.tmp.dll
c:\windows\system32\_007910_.tmp.dll
c:\windows\system32\_007912_.tmp.dll
c:\windows\system32\_007913_.tmp.dll
c:\windows\system32\_007916_.tmp.dll
c:\windows\system32\_007917_.tmp.dll
c:\windows\system32\_007919_.tmp.dll
c:\windows\system32\_007920_.tmp.dll
c:\windows\system32\_007921_.tmp.dll
c:\windows\system32\_007923_.tmp.dll
c:\windows\system32\_007924_.tmp.dll
c:\windows\system32\_007926_.tmp.dll
c:\windows\system32\_007927_.tmp.dll
c:\windows\system32\_007931_.tmp.dll
c:\windows\system32\_007932_.tmp.dll
c:\windows\system32\_007934_.tmp.dll
c:\windows\system32\_007936_.tmp.dll
c:\windows\system32\_007937_.tmp.dll
c:\windows\system32\_007939_.tmp.dll
c:\windows\system32\_007940_.tmp.dll
c:\windows\system32\_007942_.tmp.dll
c:\windows\system32\_007943_.tmp.dll
c:\windows\system32\_007946_.tmp.dll
c:\windows\system32\_007947_.tmp.dll
c:\windows\system32\_007948_.tmp.dll
c:\windows\system32\_007949_.tmp.dll
c:\windows\system32\_007950_.tmp.dll
c:\windows\system32\_007955_.tmp.dll
c:\windows\system32\_007957_.tmp.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\setup.ini
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-05 20:31 . 2010-02-05 20:31 -------- d-----w- c:\program files\Trend Micro
2010-01-27 15:05 . 2010-01-27 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-27 15:05 . 2010-01-27 15:05 -------- d-----w- c:\documents and settings\rjp\Application Data\Office Genuine Advantage
2010-01-26 22:16 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 22:16 . 2010-01-27 13:59 -------- d-----w- c:\program files\MW Bytes
2010-01-26 22:16 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 16:57 . 2010-01-26 16:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-26 16:57 . 2010-01-26 16:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 16:15 . 2010-01-25 16:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-22 22:24 . 2010-01-22 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 22:24 . 2010-01-22 22:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-21 22:18 . 2010-01-21 22:18 -------- d-----w- c:\documents and settings\rjp\Application Data\Malwarebytes
2010-01-21 22:17 . 2010-01-21 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-21 19:26 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-20 22:15 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-20 22:11 . 2010-01-20 22:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-19 17:17 . 2010-01-19 17:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-13 14:07 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 15:36 . 2008-11-14 20:31 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-08 22:44 . 2006-06-02 21:11 -------- d-----w- c:\program files\Oriens Solution
2010-02-08 16:19 . 2009-11-10 14:12 79488 ----a-w- c:\documents and settings\rjp\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-08 14:05 . 2009-11-12 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-04 22:21 . 2010-01-20 22:14 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-02-04 16:17 . 2010-01-20 22:14 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-02-04 16:17 . 2010-01-20 22:14 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-02-04 16:16 . 2010-01-20 22:13 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2010-01-27 16:18 . 2010-01-20 22:14 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2010-01-27 16:18 . 2010-01-27 16:18 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2010-01-27 16:18 . 2010-01-20 22:14 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2010-01-27 16:18 . 2010-01-20 22:14 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2010-01-27 16:18 . 2010-01-20 22:14 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2010-01-27 16:17 . 2010-01-27 16:17 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2010-01-27 16:17 . 2010-01-20 22:14 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Savapibridge.dll
2010-01-27 16:17 . 2010-01-20 22:14 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2010-01-27 16:17 . 2010-01-27 16:17 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2010-01-27 16:17 . 2010-01-27 16:17 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2010-01-27 16:17 . 2010-01-20 22:14 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2010-01-27 16:17 . 2010-01-20 22:14 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2010-01-27 16:17 . 2010-01-20 22:14 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-01-27 16:17 . 2010-01-20 22:14 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2010-01-22 20:33 . 2003-08-11 21:28 -------- d-----w- c:\documents and settings\rjp\Application Data\MSN6
2010-01-21 14:05 . 2009-06-11 13:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 22:01 . 2003-11-20 20:01 -------- d-----w- c:\program files\Yahoo!
2010-01-18 14:11 . 2010-01-27 14:31 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 14:11 . 2010-01-27 14:31 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-14 17:12 . 2009-10-05 13:20 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-15 21:45 . 2009-12-15 21:45 -------- d-----w- c:\program files\State of Wisconsin
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-07 14:10 . 2010-01-20 22:11 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-19 17:06 . 2009-05-20 15:50 127325 ----a-w- c:\documents and settings\rjp\Application Data\Move Networks\uninstall.exe
2009-11-19 17:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\rjp\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-19 17:06 . 2009-11-19 17:05 1408376 ----a-w- c:\documents and settings\rjp\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-11-16 14:08 . 2009-11-16 14:08 114688 ----a-w- c:\windows\system32\igfxzoom.exe
2009-11-12 18:40 . 2008-06-16 14:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-12 18:40 . 2008-06-16 14:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-12 18:40 . 2007-01-03 14:31 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-12 18:40 . 2009-11-12 18:40 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2001-12-03 22:09 . 2007-05-22 15:28 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\rjp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-01 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2001-07-25 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-28 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-06 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"barcontrol.dll OCX"="c:\program files\Common Files\Real\GToolbar\barcontrol.dll" [2007-05-17 110592]

c:\documents and settings\rjp\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2005-6-1 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-12 18:40 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 03:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-20 21:01 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23 102400 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-12-28 22:30 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPSTEALT]
2005-02-23 15:52 327680 ----a-w- c:\program files\Free History Eraser\HistoryEraser.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kyocera Mita\\FileUtility\\NsCatCom.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\rjp\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/20/2010 4:15 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/16/2008 8:20 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [11/12/2009 12:40 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/12/2009 12:40 PM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\Common Files\HHD Software\Device Monitor\NDMSHLP.sys [5/24/2005 10:23 PM 7632]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\HHD Software\Free Serial Port Monitor\sermon.sys [5/24/2005 10:26 PM 18432]
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 16:17]

2010-02-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 16:17]

2010-02-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 16:17]

2010-02-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 16:17]

2010-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 16:17]

2010-02-05 c:\windows\Tasks\Advanced Registry Optimizer.job
- c:\program files\Advanced Registry Optimizer\ARO.exe [2008-12-01 17:11]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3281886137-1273659519-3236437500-1005Core.job
- c:\documents and settings\rjp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 21:11]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3281886137-1273659519-3236437500-1005UA.job
- c:\documents and settings\rjp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 21:11]

2010-02-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: isqft.com
Trusted Zone: isqft.com\www
Trusted Zone: microsoft.com\update
Trusted Zone: isqft.com\www
TCP: {A5C61382-3F59-4670-BE9D-0FFCCB7CCD2A} = 216.165.129.157,134.215.200.126
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/02bc89c9ba3731880e16/netzip/RdxIE601.cab
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-McAfee Guardian - c:\program files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
AddRemove-HijackThis - c:\documents and settings\rjp\Desktop\HijackThis.exe
AddRemove-SoilView 2.5 - c:\svwi009\UnInst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 10:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(412)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kyocera Mita\FileUtility\SFUSVC.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-09 10:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-09 16:22

Pre-Run: 32,310,136,832 bytes free
Post-Run: 32,435,920,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1D5A1AA3B1EF6527BF90294494328A6E

Thank you for prompt assistance. Long live HIMYM. "“Think of me like Yoda, but instead of being little and green I wear suits and I'm awesome. I'm your bro—I'm Broda!” - Barney Stinson

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 10 February 2010 - 05:51 AM

Hello Broda ;)

Lets run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 rjp78

rjp78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 10 February 2010 - 10:36 AM

The computer appears to be healed and working fine. I have not experienced any redirects while using Google. Thank you very much for your prompt and concise assistance! The ESET Log is as follows:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d9114713365b674195a50e9f1eaaefb6
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-10 03:29:03
# local_time=2010-02-10 09:29:03 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 326951 326951 0 0
# compatibility_mode=1024 16777175 100 0 6842424 6842424 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=62596
# found=0
# cleaned=0
# scan_time=4117


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 11 February 2010 - 06:46 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 rjp78

rjp78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 15 February 2010 - 12:52 PM

I've run the OTL Clean-up process. All appears to be well. I have not experienced any search redirects or new problems. Thanks again for your great assistance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users