search redirects

**RonG1966** · 2012-07-31, 02:40

ComboFix 12-07-19.02 - Dr. Gioe 07/19/2012 11:32:48.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2405 [GMT -5:00]
Running from: c:\documents and settings\Dr. Gioe\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-19 16:24 . 2012-07-19 16:24 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\offreg.dll
2012-07-19 16:24 . 2012-07-19 16:24 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\MpKslf6929080.sys
2012-07-18 17:05 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\mpengine.dll
2012-07-18 12:35 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2011-05-06 00:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:29 . 2008-04-25 16:16 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-25 16:16 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-25 16:16 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2008-04-25 21:27 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2008-04-25 21:27 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2008-04-25 21:27 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2008-04-25 21:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2008-04-25 16:16 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2008-04-25 21:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2009-08-07 19:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2009-08-07 19:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2008-10-16 19:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:24 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.08.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-19 12:25 . 2012-07-19 12:25 16384 c:\windows\Temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DtxQuickLaunch.exe"="c:\program files\Dentrix\DtxQuickLaunch.exe" [2005-02-25 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-01 11:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R1 MpKslf6929080;MpKslf6929080;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\MpKslf6929080.sys [7/19/2012 11:24 AM 29904]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/1/2009 9:43 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/1/2009 7:03 AM 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [8/1/2009 9:43 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [8/1/2009 9:43 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [8/1/2009 9:43 AM 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/1/2009 9:43 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/1/2009 9:43 AM 1656960]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF6929080
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-07-19 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Apple Computer - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
HKU-Default-Run-Apple Computer - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-19 11:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-07-19 11:40:21
ComboFix-quarantined-files.txt 2012-07-19 16:40
ComboFix2.txt 2012-07-16 22:10
ComboFix3.txt 2011-05-15 15:55
.
Pre-Run: 288,327,761,920 bytes free
Post-Run: 288,567,136,256 bytes free
.
- - End Of File - - 96F3DADE6839E585E50E279FB93E24D3

**ken545** · 2012-07-31, 02:56

Drag your copy of Combofix to the trash and lets grab a new fresh updated copy

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above ClearJavaCache::

Code:

ClearJavaCache::

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

**RonG1966** · 2012-07-31, 03:16

ComboFix 12-07-30.01 - Dr. Gioe 07/30/2012 20:08:26.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2515 [GMT -5:00]
Running from: c:\documents and settings\Dr. Gioe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dr. Gioe\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-30 21:51 . 2012-07-30 21:51 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\offreg.dll
2012-07-30 18:01 . 2012-07-30 18:01 -------- d-----w- C:\_OTL
2012-07-30 16:32 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\mpengine.dll
2012-07-26 19:29 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-26 01:02 . 2012-07-26 01:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2012-07-20 18:56 . 2012-07-26 01:35 -------- d-----w- c:\documents and settings\Cheri
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-30 17:30 . 2012-07-30 17:30 33038 ----a-w- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
2012-07-03 18:46 . 2011-05-06 00:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:29 . 2008-04-25 16:16 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-25 16:16 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-25 16:16 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2008-04-25 21:27 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2008-04-25 21:27 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2008-04-25 21:27 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2008-04-25 21:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2008-04-25 16:16 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2008-04-25 21:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2009-08-07 19:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2009-08-07 19:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2008-10-16 19:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:24 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.08.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-30 21:49 . 2012-07-30 21:49 16384 c:\windows\Temp\Perflib_Perfdata_294.dat
+ 2011-12-19 23:16 . 2006-04-10 20:02 74752 c:\windows\system32\spool\drivers\w32x86\3\hpzpr054.dll
+ 2011-12-19 23:16 . 2006-03-04 03:02 57344 c:\windows\system32\spool\drivers\w32x86\3\HPZISN12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:02 94208 c:\windows\system32\spool\drivers\w32x86\3\HPZIPT12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:03 69632 c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
+ 2011-12-19 23:16 . 2006-03-04 03:03 65536 c:\windows\system32\spool\drivers\w32x86\3\HPZINW12.EXE
+ 2011-12-19 23:16 . 2004-10-16 11:31 61440 c:\windows\system32\spool\drivers\w32x86\3\HPNRA.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 94208 c:\windows\system32\spool\drivers\w32x86\3\HPJIPX1U.DLL
+ 2011-12-19 23:16 . 2005-09-19 20:17 79872 c:\windows\system32\spool\drivers\w32x86\3\hpfrs054.dll
+ 2011-12-19 23:16 . 2005-06-20 20:33 57344 c:\windows\system32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2011-12-19 23:16 . 2005-05-20 16:37 81920 c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 57344 c:\windows\system32\spool\drivers\w32x86\3\HPBOIDPS.DLL
+ 2011-12-19 23:16 . 2004-10-16 11:31 73728 c:\windows\system32\spool\drivers\w32x86\3\HPBOID.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 49152 c:\windows\system32\spool\drivers\w32x86\3\HPBNRAC2.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:33 81920 c:\windows\system32\spool\drivers\w32x86\3\HPBMIAPI.DLL
+ 2011-12-19 23:16 . 2006-04-10 19:44 563200 c:\windows\system32\spool\drivers\w32x86\3\hpzss054.dll
+ 2011-12-19 23:16 . 2006-03-04 03:02 204800 c:\windows\system32\spool\drivers\w32x86\3\HPZIPR12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:03 282680 c:\windows\system32\spool\drivers\w32x86\3\HPZIDR12.DLL
+ 2011-12-19 23:16 . 2006-04-10 20:02 309760 c:\windows\system32\spool\drivers\w32x86\3\hpzev054.dll
+ 2011-12-19 23:16 . 2006-04-10 20:02 248320 c:\windows\system32\spool\drivers\w32x86\3\hpz3a054.dll
+ 2011-12-19 23:16 . 2005-06-20 20:51 208969 c:\windows\system32\spool\drivers\w32x86\3\HPPASNM0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:51 225351 c:\windows\system32\spool\drivers\w32x86\3\HPPAPTS0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:51 213063 c:\windows\system32\spool\drivers\w32x86\3\HPPAPML0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:33 163840 c:\windows\system32\spool\drivers\w32x86\3\HPJCMN2U.DLL
+ 2011-12-19 23:16 . 2005-09-19 20:17 274944 c:\windows\system32\spool\drivers\w32x86\3\hpfie054.dll
+ 2011-12-19 23:16 . 2006-03-14 20:49 659528 c:\windows\system32\spool\drivers\w32x86\3\hpcdmc32.dll
+ 2011-12-19 23:16 . 2005-08-08 23:26 139264 c:\windows\system32\spool\drivers\w32x86\3\HPBMINI.DLL
+ 2011-12-19 23:16 . 2006-04-10 20:02 2572288 c:\windows\system32\spool\drivers\w32x86\3\hpzui054.dll
+ 2011-12-19 23:16 . 2006-04-10 19:19 3650048 c:\windows\system32\spool\drivers\w32x86\3\hpzst054.dll
+ 2011-12-19 23:16 . 2006-04-10 20:03 1360384 c:\windows\system32\spool\drivers\w32x86\3\hpz3r054.dll
+ 2011-12-19 23:16 . 2005-11-18 03:53 7134720 c:\windows\system32\spool\drivers\w32x86\3\hpfig054.dll
+ 2011-12-19 23:16 . 2006-01-24 14:22 1392640 c:\windows\system32\spool\drivers\w32x86\3\hpbcfgre.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DtxQuickLaunch.exe"="c:\program files\Dentrix\DtxQuickLaunch.exe" [2005-02-25 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-01 11:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
.
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/1/2009 9:43 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/1/2009 7:03 AM 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [8/1/2009 9:43 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [8/1/2009 9:43 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [8/1/2009 9:43 AM 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/1/2009 9:43 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/1/2009 9:43 AM 1656960]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-07-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-PowerDVD DX - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
HKU-Default-Run-PowerDVD DX - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-30 20:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-07-30 20:14:36
ComboFix-quarantined-files.txt 2012-07-31 01:14
ComboFix2.txt 2012-07-19 16:40
ComboFix3.txt 2012-07-16 22:10
ComboFix4.txt 2011-05-15 15:55
.
Pre-Run: 288,232,828,928 bytes free
Post-Run: 288,259,944,448 bytes free
.
- - End Of File - - 104E4B1B820E6B59B1D8EE0C2DB1BE0D

**ken545** · 2012-07-31, 09:58

How are the redirects ?

**RonG1966** · 2012-07-31, 15:05

I tried some searches and got no redirects so things look better. Thank you very much for your help!

**RonG1966** · 2012-07-31, 17:47

Getting redirects again. This time they are not opening in a new window.

**ken545** · 2012-07-31, 18:06

Where are you being redirected to ? Let me ask you about your set up, are you on a router, do you have other computers accessing this router and if so are they getting redirected also ?

Is it just IE being redirected or is it Firefox as well ?

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

**RonG1966** · 2012-07-31, 19:23

Some of the redirects open another window with a list of sites related to the original search; alot of times it was Scour. Other times when I would click on a site on my search I would get redirected to another site with similar content. I have a combination router/dsl modem (Motorola) with two other desktop computers connected, but they have limited (content advisor enabled) internet access, and I checked on one of them to see if I got redirects and I did not. I don't use Firefox. Here is the esetscan.

C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\PowerDVD DX\Microsoft\tvzjqlnhf.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP1\A0000023.dll a variant of Win32/Kryptik.AIZP trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP11\A0000843.dll a variant of Win32/Kryptik.AIZP trojan

**ken545** · 2012-07-31, 19:39

OK, thanks for the info, I have seen routers in the past get infected but if its just your system then most likely the router is ok.

The files in Qoobox are just backups of what Combofix removed and there harmless where there at and we will remove them when where done.

The other files are in System Restore, lets flush them all out and create a new restore point.

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

Lets run another rootkit scanner, with all the scans we have run we seem to being hitting a wall

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

**RonG1966** · 2012-07-31, 20:01

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-31 13:00:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\DOCUME~1\DRF276~1.GIO\LOCALS~1\Temp\pwdyapog.sys

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Thread: search redirects

Thread Tools

Display

Posting Permissions