Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Google-Redirect/Happili.com

  1. #1
    Junior Member
    Join Date
    Apr 2012
    Posts
    7

    Default Google-Redirect/Happili.com

    I suspect I've been infected with Google-redirect virus since all clicks on Google search results take me to either happili.com or some other website trying to sell something. Unfortunately Spybot doesnt detect any spyware, Avira antivirus doesnt detect trojans HOWEVER from time to time it DOES detect trojans and cleans them (to find some new ones the following day). Recently computer crashes, freezes, or runs extremely slowly AT TIMES (not always). Secure conections (https) usually dont work or dont display page after a secure log in. Things I did and later found out I shuld have not done: ran TDSSkiller, FixTDSS (from Norton), and NPE (also from Norton). No solution. Please HELP!

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by sop-student at 15:48:53 on 2012-04-27
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.424 [GMT -4:00]
    .
    AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD11\PDVD11Serv.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
    C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
    C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Codec-V: {11111111-1111-1111-1111-110011041135} - c:\program files\codec-v\Codec-V.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Veehd Plugin: {32ea9cd0-5187-4fe3-b989-b4d1408d2802} - c:\program files\veehd plugin\tbunsy54.tmp\tbcore3.dll
    uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
    uRun: [Facebook Update] "c:\documents and settings\sop-student\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [Update] rundll32.exe "c:\documents and settings\sop-student\application data\amazon\amazon\vmvsz.dll",DllRegisterServer
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RemoteControl11] c:\program files\cyberlink\powerdvd11\PDVD11Serv.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [Update] rundll32.exe "c:\documents and settings\sop-student\application data\amazon\amazon\vmvsz.dll",DllRegisterServer
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: cvslearnet.com\www
    Trusted Zone: intuit.com\ttlc
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity1.acast.nova.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206144652075
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215373103515
    DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://prometheus.umaryland.edu/sre/Downloads/ICSScanner.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
    DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{258CEDE0-86E9-4568-BC27-A7F35A67EAC7} : DhcpNameServer = 75.75.75.75 75.75.76.76
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\sop-student\application data\mozilla\firefox\profiles\g1td59wu.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\sop-student\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-2-10 36000]
    R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/01/07 21:20:00];c:\program files\cyberlink\powerdvd11\common\navfilter\000.fcl [2011-10-18 77296]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-2-10 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-2-10 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-2-10 74640]
    R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\CLHNServiceForPowerDVD.exe [2012-1-7 83240]
    R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSMonitorService.exe [2012-1-7 75048]
    R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSServerForPDVD11.exe [2012-1-7 292136]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
    R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\ntk_PowerDVD.sys [2012-1-7 71664]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253088]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-4-17 26400]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-04-25 19:35:53 -------- d-----w- c:\documents and settings\sop-student\application data\ElevatedDiagnostics
    2012-04-17 15:57:10 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-04-17 15:46:31 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
    2012-04-17 15:28:55 -------- d--h--w- c:\windows\PIF
    2012-04-13 19:28:17 -------- d-----w- c:\documents and settings\sop-student\application data\DDMSettings
    2012-04-11 20:40:16 -------- d-----w- c:\program files\iPod
    2012-04-09 19:46:32 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\NPE
    2012-04-09 19:46:32 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2012-04-09 15:08:27 -------- d-----w- c:\documents and settings\all users\application data\Premium
    2012-04-09 15:07:13 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\Codec-V
    2012-04-09 15:07:10 -------- d-----w- c:\program files\Codec-V
    2012-04-09 15:07:01 -------- d-----w- C:\codec-info
    2012-04-09 15:06:52 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
    2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2012-04-02 14:13:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-30 05:15:34 -------- d-----w- c:\documents and settings\all users\application data\Graboid Inc
    2012-03-30 05:15:23 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\Geckofx
    2012-03-30 05:13:26 -------- d-----w- c:\program files\VideoLAN
    2012-03-30 05:13:05 -------- d-----w- c:\program files\Graboid
    .
    ==================== Find3M ====================
    .
    2012-04-14 10:01:10 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 15:50:53.71 ===============

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply





    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Apr 2012
    Posts
    7

    Default



    Thanks for the quick response. I do understand the risks of the fix. I created a backup registry as per "Before you post". Here are the 2 log reports (also attached as zip files):


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-27 23:00:33
    -----------------------------
    23:00:33.640 OS Version: Windows 5.1.2600 Service Pack 3
    23:00:33.640 Number of processors: 2 586 0xE08
    23:00:33.640 ComputerName: RODNEYSLAPTOP UserName: sop-student
    23:00:34.359 Initialize success
    23:04:18.109 AVAST engine defs: 12042701
    23:04:42.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    23:04:42.812 Disk 0 Vendor: TOSHIBA_MK8032GSX AS112D Size: 76319MB BusType: 3
    23:04:42.828 Disk 0 MBR read successfully
    23:04:42.828 Disk 0 MBR scan
    23:04:43.031 Disk 0 Windows XP default MBR code
    23:04:43.031 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
    23:04:43.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76230 MB offset 176715
    23:04:43.156 Disk 0 scanning sectors +156296385
    23:04:43.281 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:05:13.375 Service scanning
    23:05:46.828 Modules scanning
    23:05:55.125 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
    23:05:58.203 Disk 0 trace - called modules:
    23:05:58.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    23:05:58.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ef6ab8]
    23:05:58.265 3 CLASSPNP.SYS[f76befd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f21940]
    23:05:58.875 AVAST engine scan C:\WINDOWS
    23:06:24.343 AVAST engine scan C:\WINDOWS\system32
    23:12:24.859 AVAST engine scan C:\WINDOWS\system32\drivers
    23:12:55.593 AVAST engine scan C:\Documents and Settings\sop-student
    23:27:58.671 AVAST engine scan C:\Documents and Settings\All Users
    23:30:07.578 Scan finished successfully
    23:30:54.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\sop-student\Desktop\MBR.dat"
    23:30:54.765 The log file has been saved successfully to "C:\Documents and Settings\sop-student\Desktop\Post3_aswMBR.txt"


    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.28.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    sop-student :: RODNEYSLAPTOP [administrator]

    4/27/2012 11:35:28 PM
    mbam-log-2012-04-27 (23-35-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213832
    Time elapsed: 12 minute(s), 17 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

    Registry Keys Detected: 13
    HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll",DllRegisterServer -> Quarantined and deleted successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll",DllRegisterServer -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Program Files\Codec-V\Codec-V.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

    (end)

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Lots of bad stuff was removed by Malwarebytes but there may be more lurking that we cant see.

    You need to enable windows to show all files and folders, instructions Here

    Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

    C:\WINDOWS\System32\DLA\DLADResN.SYS<--This file

    If the site is busy you can try this one
    http://virusscan.jotti.org/en




    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


    Post the link for Virus Total and the Combofix report please. Just want you to know that I will be away until late afternoon today so just hang in, I will be back

    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Apr 2012
    Posts
    7

    Default

    Hi Ken, hope you're enjoying your weekend, it is rainny here in Miami, but things are looking better with my PC Google no longer redirects. You do hear a lot of "click-click-click" when loading pages from search results though.

    Some issues I notice after I followed instructions from last post:
    (these may or may not be important, but I'll mention them anyway)

    1) After making available the hidden files, 2 new files show in my desktop and documents folder: 'Thumbs.db' AND 'LoaderBackup-(2011-04-21).ipd'
    Should I take any action/delete/ignore?

    2) During combofix scan there was a message about some system files not recognized and being deleted, it asked to insert WIN XP profesional SP3 CD to replace them (which I dont have, system was updated to SP3 via windows update when it was released). While I was trying to find out if I had such CD somewhere, combofix restarted my computer, so I really dont know if these files are really needed or not.

    3) should I hide again the system files?

    Reports follow:
    https://www.virustotal.com/file/25b1...is/1335627884/

    combofix log is attached

    Thank you,
    Rodney.


    ComboFix 12-04-28.01 - sop-student 04/28/2012 12:15:48.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.437 [GMT -4:00]
    Running from: c:\documents and settings\sop-student\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\Setup.exe
    c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\Setup.ilg
    c:\documents and settings\sop-student\Application Data\Toolbar4
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\128.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\16.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\19.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\48.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\arrow_refresh.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\basis.xml
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\cache\9bb48ef2097188cd040a04b522ef9b34
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\cog.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\computer_delete.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\Core.js
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\favicon.png
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\icons.bmp
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\info.txt
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\inst.tmp
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\standart_icons.bmp
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\TbHelper2.exe
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\uninstall.exe
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\uninstaller.exe
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\update.exe
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\version.txt
    c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\your_logo.png
    C:\install.exe
    c:\program files\Veehd Plugin\tbunsy54.tmp\tbHElper.dll
    c:\windows\system32\acelpdec.ax
    c:\windows\system32\ativdaxx.ax
    c:\windows\system32\ativmvxx.ax
    c:\windows\system32\g711codc.ax
    c:\windows\system32\iac25_32.ax
    c:\windows\system32\ir41_32.ax
    c:\windows\system32\ivfsrc.ax
    c:\windows\system32\ksproxy.ax
    c:\windows\system32\l3codecx.ax
    c:\windows\system32\mpeg2data.ax
    c:\windows\system32\mpg2splt.ax
    c:\windows\system32\mpg4ds32.ax
    c:\windows\system32\msadds32.ax
    c:\windows\system32\msscds32.ax
    c:\windows\system32\test
    c:\windows\system32\TMP292.tmp
    c:\windows\system32\urttemp
    c:\windows\system32\urttemp\fusion.dll
    c:\windows\system32\urttemp\mscoree.dll
    c:\windows\system32\urttemp\mscoree.dll.local
    c:\windows\system32\urttemp\mscorsn.dll
    c:\windows\system32\urttemp\mscorwks.dll
    c:\windows\system32\urttemp\msvcr71.dll
    c:\windows\system32\urttemp\regtlib.exe
    c:\windows\system32\vbicodec.ax
    c:\windows\system32\vbisurf.ax
    c:\windows\system32\vidcap.ax
    c:\windows\system32\wiasf.ax
    c:\windows\system32\wmv8ds32.ax
    c:\windows\system32\wmvds32.ax
    c:\windows\system32\wstpager.ax
    c:\windows\system32\wstrenderer.ax
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-28 06:21 . 2012-04-28 06:21 -------- d-----w- c:\documents and settings\sop-student\Application Data\RealNetworks
    2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\documents and settings\sop-student\Application Data\Malwarebytes
    2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-28 03:33 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-27 19:45 . 2012-04-27 19:45 -------- d-----w- c:\program files\ERUNT
    2012-04-25 19:35 . 2012-04-25 19:35 -------- d-----w- c:\documents and settings\sop-student\Application Data\ElevatedDiagnostics
    2012-04-17 15:57 . 2012-04-17 15:57 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-04-17 15:46 . 2012-04-17 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-04-17 15:28 . 2012-04-17 15:28 -------- d--h--w- c:\windows\PIF
    2012-04-13 19:28 . 2012-04-13 19:28 -------- d-----w- c:\documents and settings\sop-student\Application Data\DDMSettings
    2012-04-11 20:40 . 2012-04-11 20:40 -------- d-----w- c:\program files\iPod
    2012-04-09 19:46 . 2012-04-10 03:23 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\NPE
    2012-04-09 19:46 . 2012-04-09 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2012-04-09 15:08 . 2012-04-09 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
    2012-04-09 15:07 . 2012-04-09 15:07 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\Codec-V
    2012-04-09 15:07 . 2012-04-28 03:49 -------- d-----w- c:\program files\Codec-V
    2012-04-09 15:07 . 2012-04-09 15:07 -------- d-----w- C:\codec-info
    2012-04-09 15:06 . 2012-04-09 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2012-04-02 14:13 . 2012-04-14 10:01 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-30 05:15 . 2012-03-30 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Graboid Inc
    2012-03-30 05:15 . 2012-03-30 05:15 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\Geckofx
    2012-03-30 05:13 . 2012-03-30 05:13 -------- d-----w- c:\program files\VideoLAN
    2012-03-30 05:13 . 2012-04-02 04:03 -------- d-----w- c:\program files\Graboid
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-14 10:01 . 2011-05-24 15:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01 . 2004-08-11 22:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-11 22:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-11 22:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2004-08-11 22:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-15 16:21 . 2012-02-10 15:33 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2012-02-15 16:01 . 2010-04-03 13:21 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 16:01 . 2010-04-03 13:21 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-02-03 09:22 . 2004-08-11 22:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2011-11-14 03:48 . 2011-08-22 18:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2006-07-13 3297280]
    "Facebook Update"="c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-03-11 137536]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-15 296056]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
    "RemoteControl11"="c:\program files\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-08-24 230696]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-19 24576]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD11\\PowerDVD11.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD11\\PDVD11Serv.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD11\\Common\\MediaServer\\CLMSServerForPDVD11.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Documents and Settings\\sop-student\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2/10/2012 11:33 AM 36000]
    R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/01/07 21:20];c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [10/18/2011 11:28 AM 77296]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/10/2012 11:33 AM 86224]
    R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [1/7/2012 10:18 PM 83240]
    R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [1/7/2012 10:18 PM 75048]
    R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe [1/7/2012 10:18 PM 292136]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
    R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD.sys [1/7/2012 10:19 PM 71664]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 1:32 PM 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 10:13 AM 253088]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 1:32 PM 136176]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [4/17/2012 11:57 AM 26400]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 6:00 PM 14336]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 6:00 PM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 10:01]
    .
    2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-04-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2054321869-1361599035-592008509-1005Core.job
    - c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-03-11 16:33]
    .
    2012-04-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2054321869-1361599035-592008509-1005UA.job
    - c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-03-11 16:33]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 17:32]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 17:32]
    .
    2012-04-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2054321869-1361599035-592008509-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
    .
    2012-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2054321869-1361599035-592008509-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    Trusted Zone: cvslearnet.com\www
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity1.acast.nova.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB
    DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://prometheus.umaryland.edu/sre/Downloads/ICSScanner.cab
    FF - ProfilePath - c:\documents and settings\sop-student\Application Data\Mozilla\Firefox\Profiles\g1td59wu.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{32EA9CD0-5187-4FE3-B989-B4D1408D2802} - c:\program files\Veehd Plugin\tbunsy54.tmp\tbcore3.dll
    HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-28 12:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1232)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\program files\XemiComputers\Active Desktop Calendar\MouseHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\stsystra.exe
    c:\program files\Apoint\HidFind.exe
    c:\program files\Apoint\Apntex.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-28 12:35:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-28 16:35
    .
    Pre-Run: 32,988,729,344 bytes free
    Post-Run: 35,815,710,720 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 1D97019E427316CF896AEF1D20676E42
    Last edited by ken545; 2012-04-29 at 00:10.

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Rodney,

    Those two files on your desktop are fine, they will disappear when you hide files again, but hang off on that for the moment.


    Depending on how your manufacturer of your computer set it up you may not need the windows CD for this, just let it run, when its done it will close, there is no report . This will check for and hopefully replace any missing or corrupt windows files

    Go Start/Run and type CMD in the command prompt, then type SFC /scannow > ok There is a space needed after C and before /




    Then we need to remove this bad entry with Combofix



    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::


    Code:
    Folder::
    c:\Program Files\iLivid Toolbar
    
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=-
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Junior Member
    Join Date
    Apr 2012
    Posts
    7

    Default

    Im sorry, but after runing the cmd command I get the following: "Insert your windows xp Service Pack 3" (please see attached screen shot) and advise.

    Thank you so much,
    Rodney

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Ok go ahead and run Combofix with ghe script
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Junior Member
    Join Date
    Apr 2012
    Posts
    7

    Default

    Attached is the last combofix report log after adding the script.
    Rodney.

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    The Snapshot portion of your Combofix log is showing files that are mismatched in your dllcache folder. On starting your computer, are you getting any error messages that files are missing ?


    Click on My computer and then your C: drive, do you see a i386 folder ?


    Is your computer running any better, are the redirects gone ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •