Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect hijacker


  • This topic is locked This topic is locked
22 replies to this topic

#1 broncobill

broncobill

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 25 February 2010 - 01:18 PM

Hi everyone!
After days of researching my problem to no avail, I am hoping you can help me. I have a brand new Asus u50f running win7 64bit. I have two IE browsers factory installed(IE 32bit and IE 64 bit). I have the google toolbar installed on both of them. Whenever I search any topic on the 32bit version of IE the search results look like normal google results but when I click on any of the links I am redirected to another search site (DaoFinder). I get mostly shopping results also. This problem does not SEEM to affect IE 64bit version. When I open them up side by side I get wholly different results for the same inquiry and in the 64bit version the links behave normally.
I have run the usual scans. MalewareBytes, Spybot SnD, Trend Micro (wich I subsequently uninstalled), Avast (using now), AdAware,Microsoft malicious software remover tool , all with no positive results. The 32bit version was not behaving this way a week ago so I know something is amiss. I tried resetting everything to factory defaults. I reinstalled the google toolbar.
I am out of ideas and hope you can find it in your hearts to take a look at this. Thank you in advance!

when I try to run the gmer application I get an error "C:\windows\system32\config\system: the system cannot find the file specified."
here is a copy of the dds log

DDS (Ver_09-12-01.01) - NTFSX64
Run by james at 10:26:04.38 on Sat 03/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3885.2337 [GMT -6:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\iHome\Mouse Driver\KMWDSrv.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\lxcecoms.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\ASUS CopyProtect\aspg.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\iHome\Mouse Driver\StartAutorun.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\iHome\Mouse Driver\KMConfig.exe
C:\Program Files (x86)\iHome\Mouse Driver\KMProcess.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Windows\AsScrPro.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\james\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y4IVR3I3\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uWindow Title =
mLocal Page = c:\windows\syswow64\blank.htm
mWindow Title =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files (x86)\bitcomet\tools\BitCometBHO_1.4.1.10.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~2\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ATKOSD2] c:\program files (x86)\asus\atk package\atkosd2\ATKOSD2.exe
mRun: [ATKMEDIA] c:\program files (x86)\asus\atk package\atk media\DMedia.exe
mRun: [HControlUser] c:\program files (x86)\asus\atk package\atk hotkey\HControlUser.exe
mRun: [Setwallpaper] c:\programdata\SetWallpaper.cmd
mRun: [KMCONFIG] c:\program files (x86)\ihome\mouse driver\StartAutorun.exe KMConfig.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files (x86)\google\gmail notifier\gnotify.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\fancys~1.lnk - c:\windows\installer\{f0df4513-3c4c-4eb8-8012-2c5f70af3988}\_A1DDD39913A1970387B7B3.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\srspre~1.lnk - c:\windows\installer\{e5cf6b9c-3abe-43c9-9413-ad5ffc98f049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files (x86)\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files (x86)\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files (x86)\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files (x86)\bitcomet\tools\BitCometBHO_1.4.1.10.dll/206
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~2\spybot~1\SDHelper.dll
LSP: c:\users\james\appdata\local\temp\dagny115.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO-X64: Windows Live Family Safety Browser Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun-x64: [LXCECATS] rundll32 c:\windows\system32\spool\drivers\x64\3\LXCEtime.dll,RunDLLEntry
mRun-x64: [lxcemon.exe] "c:\program files (x86)\lexmark 4300 series\lxcemon.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 lullaby;lullaby;c:\windows\system32\drivers\lullaby.sys [2009-12-27 15928]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-2 120912]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2009-12-27 359552]
R2 ASMMAP64;ASMMAP64;c:\program files (x86)\asus\atk package\atkgfnex\ASMMAP64.sys [2009-7-2 15416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-2 22096]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-3-2 63568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-2 40384]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files (x86)\ihome\mouse driver\KMWDSrv.exe [2008-6-23 208896]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-2-8 1153368]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\intel\intel® management engine components\uns\UNS.exe [2010-2-5 2314240]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-2 40384]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-10-15 117760]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2009-12-27 56344]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-10-25 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2009-10-29 244736]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-8-18 143472]
R3 JME;JMicron Ethernet Adapter NDIS6 Driver (Amd64 Bits);c:\windows\system32\drivers\JME.sys [2009-8-14 102000]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-2-13 135664]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-27 61792]
S3 fsssvc;Windows Live Family Safety;c:\program files (x86)\windows live\family safety\fsssvc.exe [2008-12-8 533344]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSG664.sys [2009-6-10 56832]

=============== Created Last 30 ================

2010-03-06 16:14:13 0 ----a-w- c:\users\james\defogger_reenable
2010-03-06 15:33:25 0 ----a-w- c:\windows\syswow64\8104297.jun
2010-03-06 15:33:22 0 d-----w- c:\program files (x86)\Browser Hijack Recover
2010-03-06 14:51:39 0 d-----w- c:\programdata\XoftSpySE
2010-03-06 03:14:07 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-03-05 03:01:15 0 d-----w- c:\program files (x86)\MSXML 4.0
2010-03-05 02:47:59 0 d-----w- c:\program files (x86)\TrendMicro
2010-03-02 12:08:48 63568 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-02 12:08:48 0 ----a-w- c:\windows\syswow64\config.nt
2010-03-02 12:08:20 38848 ----a-w- c:\windows\syswow64\avastSS.scr
2010-03-02 12:08:20 153184 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-03-02 12:08:16 0 d-----w- c:\programdata\Alwil Software
2010-03-02 12:08:16 0 d-----w- c:\program files\Alwil Software
2010-03-02 01:44:53 0 d-----w- c:\programdata\Sunbelt
2010-03-02 01:44:51 22016 ----a-w- c:\windows\system32\sbbd.exe
2010-02-22 04:17:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 02:09:19 0 d-----w- c:\users\james\appdata\roaming\Zipeg
2010-02-18 02:09:01 0 d-----w- c:\program files (x86)\Zipeg
2010-02-14 17:48:30 0 d-----w- C:\ubuntu-backup
2010-02-14 17:38:29 0 d-----w- c:\program files (x86)\WildPackets
2010-02-14 17:26:20 0 d-----w- c:\program files\WinRAR
2010-02-14 16:33:47 0 d-----w- c:\windows\pss
2010-02-14 02:52:59 0 d-----w- c:\windows\tessdata
2010-02-14 02:52:59 0 d-----w- c:\program files (x86)\Softi Software
2010-02-14 02:52:30 0 d-----w- c:\users\james\appdata\roaming\Softi Software
2010-02-14 02:28:22 0 d-----w- c:\program files\Lx_cats
2010-02-14 02:27:24 0 d-----w- c:\program files\Lexmark 4300 Series
2010-02-14 02:26:09 0 d-----w- c:\program files (x86)\Lexmark 4300 Series
2010-02-14 02:25:57 628224 ----a-w- c:\windows\system32\lxceutil.dll
2010-02-13 01:14:31 0 d-----w- c:\programdata\NOS
2010-02-10 05:43:53 285696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 03:11:42 0 d-----w- c:\program files (x86)\DVD X Studios
2010-02-10 02:46:46 88 ---ha-w- c:\programdata\aspg.dat
2010-02-09 04:13:55 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-09 04:13:55 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-02-09 03:44:27 0 d-----w- c:\programdata\Lavasoft
2010-02-09 03:37:49 0 d-----w- c:\users\james\appdata\roaming\Malwarebytes
2010-02-09 03:37:42 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 03:37:42 0 d-----w- c:\programdata\Malwarebytes
2010-02-09 03:37:42 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-02-06 19:51:48 0 d-----w- c:\program files\Google
2010-02-06 19:48:40 0 d-----w- C:\Downloads
2010-02-06 19:48:39 0 d-----w- c:\users\james\appdata\roaming\BitComet
2010-02-06 19:48:15 0 d-----w- c:\program files (x86)\BitComet
2010-02-06 19:48:13 0 d-----w- c:\programdata\Google
2010-02-06 18:58:53 32768 ------w- c:\windows\syswow64\gtcodec2.dll
2010-02-06 18:58:53 32768 ------w- c:\windows\system\gtcodec2.dll
2010-02-06 18:57:56 319 ----a-w- c:\windows\ULEAD32.INI
2010-02-06 18:57:51 384512 ----a-w- c:\windows\syswow64\MFCO40.DLL
2010-02-06 18:57:51 358400 ----a-w- c:\windows\syswow64\MFC30.DLL
2010-02-06 18:57:51 27632 ----a-w- c:\windows\syswow64\CTL3DV2.DLL
2010-02-06 18:57:51 151040 ----a-w- c:\windows\syswow64\MFCO30.DLL
2010-02-06 18:57:42 28672 ----a-w- c:\windows\Photo Express 3.scr
2010-02-06 18:57:03 0 d-----w- c:\program files (x86)\Ulead Systems
2010-02-06 18:56:52 306688 ----a-w- c:\windows\IsUninst.exe
2010-02-06 18:36:36 14 ----a-w- c:\windows\syswow64\systeminfo.dll
2010-02-06 18:35:47 1645320 ----a-w- c:\windows\syswow64\gdiplus.dll
2010-02-06 09:47:19 0 d-----w- c:\users\james\appdata\roaming\MoveFab
2010-02-06 08:17:43 0 d-----w- c:\program files (x86)\DVDFab 6
2010-02-06 08:16:23 114 ----a-w- c:\windows\WININIT.INI
2010-02-06 08:16:05 0 d-----w- c:\users\james\appdata\roaming\Roxio Log Files
2010-02-06 05:46:34 0 d-----w- c:\program files (x86)\iHome
2010-02-06 04:20:39 355 ----a-w- c:\users\james\Computer - Shortcut.lnk
2010-02-05 02:29:59 0 d-----w- c:\programdata\Driver Whiz

==================== Find3M ====================

2010-02-03 16:07:29 0 ----a-w- c:\users\james\appdata\roaming\wklnhst.dat
2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-19 09:05:57 424960 ----a-w- c:\windows\system32\secproc.dll
2010-01-19 09:05:57 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-19 09:00:44 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-19 09:00:43 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-19 09:00:37 356352 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-19 09:00:37 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-11 07:12:38 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-01-08 03:38:28 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-27 20:33:23 311808 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-27 20:33:23 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-12-27 20:33:13 46592 ----a-w- c:\windows\system32\msasn1.dll
2009-12-27 20:33:13 34816 ----a-w- c:\windows\syswow64\msasn1.dll
2009-12-27 20:32:35 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-27 20:32:35 12625408 ----a-w- c:\windows\syswow64\wmploc.DLL
2009-12-27 20:32:35 11406336 ----a-w- c:\windows\syswow64\wmp.dll
2009-12-27 20:32:34 366080 ----a-w- c:\windows\system32\atmfd.dll
2009-12-27 20:32:34 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2009-12-27 20:32:34 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2009-12-27 20:32:34 1320960 ----a-w- c:\windows\syswow64\CertEnroll.dll
2009-12-27 20:11:27 520192 ----a-w- c:\windows\syswow64\ASUS_U_Series_Screensaver.scr
2009-12-27 20:11:22 3058304 ----a-w- c:\windows\AsScrPro.exe
2009-12-22 08:36:19 243200 ----a-w- c:\windows\system32\wow64.dll
2009-12-22 08:24:35 14336 ----a-w- c:\windows\syswow64\ntvdm64.dll
2009-12-22 08:23:35 25600 ----a-w- c:\windows\syswow64\setup16.exe
2009-12-22 08:22:10 5120 ----a-w- c:\windows\syswow64\wow32.dll
2009-12-22 04:28:10 7680 ----a-w- c:\windows\syswow64\instnm.exe
2009-12-22 04:28:08 2048 ----a-w- c:\windows\syswow64\user.exe
2009-12-19 09:51:24 1192960 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:50:56 14848 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-19 09:49:47 1572352 ----a-w- c:\windows\system32\quartz.dll
2009-12-19 09:47:56 25088 ----a-w- c:\windows\system32\msyuv.dll
2009-12-19 09:47:53 38912 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-19 09:47:46 16384 ----a-w- c:\windows\system32\msrle32.dll
2009-12-19 09:46:35 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-13 09:46:36 960512 ----a-w- c:\windows\system32\CPFilters.dll
2009-12-13 09:46:36 613888 ----a-w- c:\windows\system32\psisdecd.dll
2009-12-13 09:46:34 552960 ----a-w- c:\windows\system32\msdri.dll
2009-12-13 09:30:50 641536 ----a-w- c:\windows\syswow64\CPFilters.dll
2009-12-13 09:30:50 465408 ----a-w- c:\windows\syswow64\psisdecd.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-08 18:31:56 106496 ----a-w- c:\program files (x86)\common files\CPInstallAction.dll
2008-08-12 05:45:20 155648 ----a-w- c:\program files (x86)\common files\MSIactionall.dll
2008-05-22 16:35:54 51962 ----a-w- c:\program files (x86)\common files\banner.jpg
2007-06-12 17:34:50 35822 ----a-w- c:\program files (x86)\common files\ASPG_icon.ico
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:26:47.72 ===============
Thanks again,
James

Attached Files



BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 27 February 2010 - 09:26 PM

Welcome to Bleeping Computer broncobill,

Not seeing any infection here. I also don't think Gmer is setup for Windows7/64 bit systems yet, so not surprised it failed to run there. Let's try a different scan than those you have run already.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Ad eundum quo no duck ante iit

#3 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2010 - 06:44 PM

I ran the scan without any problems and it found nothing. Here's the log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

I hope this is what you were looking for:)
(side note) My google chrome browser produces identical results as IE 64 bit but I installed that after I noticed the problem.. IE 32bit seems to be the only thing affected (or infected). I can't find much about this DaoFinder search site that I keep getting redirected to, either. busy.gif

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 28 February 2010 - 08:57 PM

That "DaoFinder" site is IP-linked to quite a few sites that appear to be search redirect locations. See if the following will run on your system, and we'll use an older method of looking for things there.

Go here and download Agent Ransack to your desktop, then click the downloaded file to install the program. Once installed go to Start - Programs and open Agent Ransack.

Under the Advanced tab, type the following, exactly as shown, into the text box next to "Containing text:"

DaoFinder

Make no other changes at this time. Then click the "Start search" button (upper right corner) and allow Agent Ransack to search. This will take quite a while to complete, depending on the number of files stored on the system, so please allow the scan to complete and not use the computer while it is running.

When the scan is done go to File - Save Results, and click the "Save" button to save the information to your clipboard. The open Notepad and click Paste to copy the scan results. Save this as Life.txt.

Then zip a copy of that, and send it to jintan @ malwarecrypt.com as an attachment. Please place "Submitted Files -broncobill/bc/ransk" as the email Subject.

-----------------

Click here to download Bobbi Flekman's Regsearch.zip to your desktop. Then unzip that, and click on the regsearch.exe to run the tool. In the display panel, copy and paste the following into the upper box:

DaoFinder

Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).

Edited by Jintan, 28 February 2010 - 08:59 PM.

Ad eundum quo no duck ante iit

#5 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 28 February 2010 - 10:17 PM

here's the regsearch log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 3/4/2010 8:56:19 PM for strings:
; 'daofinder
'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

I need to clarify that when I search via the address bar or google toolbar the results look like a legit google page(but the results are different than when I search directly from google.com or IE64) but only then when I click on a link do I get redirected. I hope I am making sense:)
Thanks again,


#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 01 March 2010 - 11:49 PM

The Ransack results did not seem to pinpoint a location those link redirects are sourced from. The info suggests the change is made as some "q=" function, which the Google site indicates is a spelling hint. Or "query" - the info wasn't all that clear to me.

In IE go to Tools - click InPrivate Filtering. Then click the InPrivate Filtering Settings, and see if any "doa" entries show there that you can block. Perhaps blocking it will cause some other info to surface.
Ad eundum quo no duck ante iit

#7 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 03 March 2010 - 07:25 AM

Hi again! There was nothing listed under In private filtering. I reset internet explorer and reinstalled the google toolbar with no changes. Here's a copy of the first three results when I search "happy" in the toolbar. The links do not match the page previews when I request them under options on the google page which I find quite interesting. I dont know if this helps at all but I thought I'd mention it. Here's a copy of the page results.


› All results
Images
Videos
News
Blogs
Updates
Books
Discussions
› Any time
Latest
Past 24 hours
Past week
Past year
› Specific date range
From:
To:
ex: 5/23/2004


› All results
Social
Nearby
› Standard view
Related searches
Wonder wheel
Timeline
Standard results
Images from the page
Fewer shopping sites
More shopping sites
› Page previews
Translated search
Reset options

Search ResultsResults include your SearchWiki notes for happy. Share these notes
Copy and paste this link into an email or IM:

See a preview of the shared page
Valentine's DayLearn How To Have A Wonderful Day Whether You Are Single Or Attached!
TheFrisky.com - 24k - Cached - Similar -HappyLooking For Happy? Find What You Need Quickly Here!
www.ManufacturersDirectory.com - 24k - Cached - Similar -CafeMom.comConnect with other Mothers. Share Advice, photos and more!
www.cafemom.com - 24k - Cached - Similar -

The page preview for the first result "valentine's daylearn how to have a wonderful day....." is the wiki page definition for happy which is what the first result I should actually be seeing.
Thanks,
James

Edited by broncobill, 04 March 2010 - 06:46 AM.


#8 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 06 March 2010 - 10:17 AM

Thanks for all your help. I've decided to just use a different browser and chalk this one up as a head scratcher. You can email me at (email address removed by Jintan) if you have any other suggestions but for now I'm calling this one quits. Thanks again.

Edited by Jintan, 06 March 2010 - 08:06 PM.


#9 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 06 March 2010 - 08:10 PM

I took the liberty of editing out that email address from your post. Spam harvesters scan online resources for addresses posted like that, to just add to their spam lists. And instead of chalking this one up to head scratching, let's chalk it up to me just not catching the malware showing in the logs. Some unknown file is loading into the Winsock there, which could then also filter, and change, net accesses. I am pretty sure Windows 7 does use the netsh command for some repairs we will need to do, but I will need to double-check that. But let's also check that file.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.

c:\users\james\appdata\local\temp\dagny115.dll

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Ad eundum quo no duck ante iit

#10 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 08 March 2010 - 09:58 PM

here's the link I had trouble finding the file using the browse function from the website. I did locate it and copied it to my desktop and then was able to attach it. I hope that will work. I will be anxiously waiting to see what you find out. Thanks for editing out my email. I obviously didn't think that one through.

#11 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 10 March 2010 - 12:08 AM

I received the file, thanks. As Derek posted at the upload site, the file appears to be used with some wizards.com Magic fantasy game, but also has all the abilities to alter (even damage) the Winsock, and does show search redirecting functions. Do you recognize that site and that Magic game? I will need to bone up on Windows 7 Winsock repairs, and will post back with the next steps here once I get the right info.
Ad eundum quo no duck ante iit

#12 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 10 March 2010 - 07:36 AM

I don't play games online myself but my daughter does when she comes to visit. I did notice that some of my setting were changed last time she used it but they seemed minor at the time and was able to change them back. Things like the auto hide the tool bar on the browser were turned on. I have since bought her her own computer since I really didn't want her using my new laptop and having to set parental controls all the time. I'll wait to hear from you.

Thanks again

#13 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 10 March 2010 - 07:51 AM

Apparently Windows 7 Winsock checks and changes rely on many of the same methods as earlier OS versions. We can reset the Winsock to default, but will need to verify no third party apps have added anything - third party apps other than this search hijacker at least.


Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:

netsh winsock show catalog > c:\looker.txt&c:\looker.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.


Ad eundum quo no duck ante iit

#14 broncobill

broncobill
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 10 March 2010 - 08:24 PM

here's the scan results.

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1001
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [UDP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1002
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [RAW/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1003
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 3
Protocol: 0
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1004
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [UDP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1005
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 2
Protocol: 17
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [RAW/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1006
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 3
Protocol: 0
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP TCPv6 Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1007
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x22066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP TCP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1008
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x22066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP UDPv6 Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1009
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 2
Protocol: 17
Service Flags: 0x22609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP UDP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1010
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Service Flags: 0x22609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [TCP/IP]]
Provider ID: {DA06D9E8-9B32-4D68-B158-A385D4E81919}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1012
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x66
Protocol Chain Length: 2
Protocol Chain: 1011 : 1001


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [UDP/IP]]
Provider ID: {63488326-5514-4298-87AC-FBF7E8424CF5}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1013
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Service Flags: 0x609
Protocol Chain Length: 2
Protocol Chain: 1011 : 1002


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [RAW/IP]]
Provider ID: {524B78FC-74C8-40C3-BF7E-F6A8CF86DA68}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1014
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 3
Protocol: 0
Service Flags: 0x609
Protocol Chain Length: 2
Protocol Chain: 1011 : 1003


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [TCP/IPv6]]
Provider ID: {82A1109E-38C1-4B48-87EA-67D7D8C8CBD2}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1015
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x66
Protocol Chain Length: 2
Protocol Chain: 1011 : 1004


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [UDP/IPv6]]
Provider ID: {CFA1BAF7-65CD-42F6-88BA-054A500D985E}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1016
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 2
Protocol: 17
Service Flags: 0x609
Protocol Chain Length: 2
Protocol Chain: 1011 : 1005


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry (32)
Description: dagny115 over [MSAFD Tcpip [RAW/IPv6]]
Provider ID: {ACE61CC2-7441-4081-849C-4CACD4A7A244}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1017
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 3
Protocol: 0
Service Flags: 0x609
Protocol Chain Length: 2
Protocol Chain: 1011 : 1006


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [TCP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1001
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [UDP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1002
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [RAW/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1003
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 3
Protocol: 0
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [TCP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1004
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [UDP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1005
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 2
Protocol: 17
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: MSAFD Tcpip [RAW/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1006
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 3
Protocol: 0
Service Flags: 0x20609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: RSVP TCPv6 Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1007
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x22066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: RSVP TCP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1008
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x22066
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: RSVP UDPv6 Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1009
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 2
Protocol: 17
Service Flags: 0x22609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider (32)
Description: RSVP UDP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1010
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Service Flags: 0x22609
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Service Provider (32)
Description: dagny115
Provider ID: {646E9F0D-444C-4153-159F-1E396A5B0000}
Provider Path: C:\Users\james\AppData\Local\Temp\dagny115.dll
Catalog Entry ID: 1011
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 0
Protocol: 0
Service Flags: 0x66
Protocol Chain Length: 0

Name Space Provider Entry
------------------------------------------------------
Description: Network Location Awareness Legacy (NLAv1) Namespace
Provider ID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Name Space: 15
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: Tcpip
Provider ID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Name Space: 12
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: NTDS
Provider ID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Name Space: 32
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: E-mail Naming Shim Provider
Provider ID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Name Space: 37
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: PNRP Cloud Namespace Provider
Provider ID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Name Space: 39
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: PNRP Name Namespace Provider
Provider ID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Name Space: 38
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: WindowsLive NSP
Provider ID: {4177DDE9-6028-479E-B7B7-03591A63FF3A}
Name Space: 12
Active: 1
Version: 1


Name Space Provider Entry
------------------------------------------------------
Description: WindowsLive Local NSP
Provider ID: {229F2A2C-5F18-4A06-8F89-3A372170624D}
Name Space: 19
Active: 1
Version: 1


Name Space Provider Entry (32)
------------------------------------------------------
Description: Network Location Awareness Legacy (NLAv1) Namespace
Provider ID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Name Space: 15
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: Tcpip
Provider ID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Name Space: 12
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: NTDS
Provider ID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Name Space: 32
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: E-mail Naming Shim Provider
Provider ID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Name Space: 37
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: PNRP Cloud Namespace Provider
Provider ID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Name Space: 39
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: PNRP Name Namespace Provider
Provider ID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Name Space: 38
Active: 1
Version: 0


Name Space Provider Entry (32)
------------------------------------------------------
Description: WindowsLive NSP
Provider ID: {4177DDE9-6028-479E-B7B7-03591A63FF3A}
Name Space: 12
Active: 1
Version: 1


Name Space Provider Entry (32)
------------------------------------------------------
Description: WindowsLive Local NSP
Provider ID: {229F2A2C-5F18-4A06-8F89-3A372170624D}
Name Space: 19
Active: 1
Version: 1




#15 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 10 March 2010 - 09:52 PM

That surely shows the search hijacker. Also mostly default entires, but there are some Windows Live apparently uses. To avoid the changes we will make to the Winsock from causing issues with that, better if you go ahead and uninstall any Windows Live programs now.


Once you have done that you need to create a fresh Restore point, to have a backup option if needed. Just follow the steps here under "Create a System Restore point" to do that.


Then be sure to temp disable all security software.

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:

netsh winsock reset

Agree to any warnings and allow Windows to restore the default Winsock settings. Then reboot, and right off check to make sure you are able to connect to the Internet. If you find you cannot then run System Restore to return to a past time.

To do that, again go to Start Search, type restore in the Start Search box, then click the System Restore option when it appears and follow the prompts. If available, you may want to choose a date before this search hijacker got itself installed.

Once you have made the Winsock repairs and rebooted, run and post back a new DDS scan log please.

Edited by Jintan, 10 March 2010 - 09:53 PM.

Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users