PDA

View Full Version : Yet Another Browser Hijack



Blasius
2010-06-11, 06:20
I am experiencing the browser hijack problem others are posting about here; quoting one of them:

<quote>------------------------------------------------------------------
"The symptom is that my browser(IE 8 & Firefox) keeps getting hijacked, especially when i click on a google search result. When i click on a google search result i get redirected to some random ad websites. And sometimes a new tab(in firefox) or a new window (in IE8) just opens up n it's own (haven't observed any trigger)."
</quote>-----------------------------------------------------------------

This problem started for me after an AntiSpyware Soft infection, which I cleaned up using mbam. I've also run sbsd, spyware doctor, done a system restore, and removed the c:\windows\system32\wbdaum.drv file (didn't work - it reappeared).

I would be very grateful if you can help. Posting below the DDS log, attaching the second part of it. Also posting the HijackThis uninstall_list.txt that I saw was requested.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 22:46:18.23 on Thu 06/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1307 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MouseTool\MouseTool.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Turtle Beach Audio Advantage SRM] "c:\program files\turtle beach\audioadvantagesrm\TBAA.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [MSWheel]
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\Owner\startm~1\programs\startup\mouset~1.lnk - c:\program files\mousetool\MouseTool.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://webvpn.deshaw.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Owner\applic~1\mozilla\firefox\profiles\sfnjs4tb.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-10 218592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-10 213768]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-10 112592]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-3-10 8960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-10 366840]
R2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-10 1142224]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-3-10 110080]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-3-10 11264]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-3-10 79880]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-3-10 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-3-10 34216]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-3-10 16640]

=============== Created Last 30 ================

2010-06-10 06:37:31 23552 -c--a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-06-10 06:37:31 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-06-10 06:16:17 2 --shatr- c:\windows\winstart.bat
2010-06-10 06:16:03 0 d-----w- c:\program files\UnHackMe
2010-06-10 04:26:36 0 d-----w- c:\program files\CCleaner
2010-06-10 04:15:53 882 ----a-w- c:\windows\RegSDImport.xml
2010-06-10 04:15:53 879 ----a-w- c:\windows\RegISSImport.xml
2010-06-10 04:15:53 767952 ----a-w- c:\windows\BDTSupport.dll
2010-06-10 04:15:53 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-06-10 04:15:53 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-06-10 04:15:53 131 ----a-w- c:\windows\IDB.zip
2010-06-10 04:15:53 1152444 ----a-w- c:\windows\UDB.zip
2010-06-10 04:08:16 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-06-10 04:08:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-10 04:08:11 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-10 04:08:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-06-10 04:08:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-06-10 04:08:11 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-10 04:08:05 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-06-10 04:08:05 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-10 04:08:00 0 d-----w- c:\program files\common files\PC Tools
2010-06-10 04:08:00 0 d-----w- c:\docume~1\Owner\applic~1\PC Tools
2010-06-10 04:08:00 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-06-08 04:29:12 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-07 00:22:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 00:22:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-07 00:14:33 2184 ----a-w- c:\windows\system32\wpa.dbl
2010-06-06 23:24:22 0 d-----w- c:\docume~1\Owner\applic~1\Mozilla(2)
2010-06-06 22:27:36 0 d-----w- C:\$AVG
2010-06-06 22:11:14 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2010-06-06 22:11:03 0 d-----w- c:\windows\system32\drivers\Avg(2)
2010-06-06 22:09:33 0 d-----w- c:\program files\AVG(2)
2010-06-06 22:09:23 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-24 03:39:13 0 d-----w- c:\program files\Mobipocket.com
2010-05-24 03:39:13 0 d-----w- c:\program files\common files\Mobipocket Shared
2010-05-13 03:27:18 0 d-----w- c:\program files\Oldgames

==================== Find3M ====================

2010-06-11 02:12:04 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 18:47:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 22:47:25.34 ===============

32 Bit HP CIO Components Installer
7-Zip 4.65
Acrobat.com
Acrobat.com
ActivePerl 5.10.0 Build 1005
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Amazon Kindle For PC v1.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Arclab Thumb Studio 2.1c
Audible Download Manager
Bonjour
Browser Defender 2.0.6.15
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Choice Guard
Citrix XenApp Web Plugin
Dell Support Center (Support Software)
Diagnostics Utility
Dragon NaturallySpeaking 10
Evernote
Google App Engine
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 17
Junk Mail filter update
Kensington MouseWorks
K-Lite Codec Pack 3.8.0 Full
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Basic Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
NatLink version 3.7hotel (including Vocola 2.6.4I and Unimacro)
Picasa 3
PowerDVD
Python 2.5 ipython-0.10
Python 2.5 pywin32-212
Python 2.5 PyXML-0.8.4
Python 2.5.2
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
RegRun Reanimator
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
Shop for HP Supplies
SightSpeed
Skype web features
Skype™ 4.1
Sonic CinePlayer Decoder Pack
Spyware Doctor 7.0
SynthFont Version 1.081
The Core Media Player 4.0
TightVNC 1.3.10
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vallen JPegger
Visual C++ Runtime for Dragon NaturallySpeaking
VLC media player 1.0.1
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
wxPython 2.6.4.0 (ansi) for Python 2.5

Following the instructions in post #12 by vict0r in the thread "keep getting redirected", thread ID 576448 seems to have solved my problem. TDSSKiller produced the following message:

...
20:06:51:359 1076 TermDD (a4c3d3928d53ddd8a7ce0fd5cc0c8e13) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:06:51:359 1076 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: a4c3d3928d53ddd8a7ce0fd5cc0c8e13, Fake md5: 88155247177638048422893737429d9e
20:06:51:359 1076 File "C:\WINDOWS\system32\DRIVERS\termdd.sys" infected by TDSS rootkit ... 20:06:51:796 1076 Backup copy found, using it..
20:06:51:843 1076 will be cured on next reboot
...
0:06:52:843 1076 Completed
20:06:52:843 1076
20:06:52:843 1076 Results:
20:06:52:843 1076 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:06:52:843 1076 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:06:52:843 1076
20:06:52:843 1076 KLMD(ARK) unloaded successfully

So it looks like I had the same problem as arsenal6, the original poster in that thread, and the same fix worked. I also followed the remaining instructions in that thread (such as running the Eset online scanner), not finding any problems.

The browsers are not redirecting me to random webpages anymore.

Blade81
2010-06-19, 17:54
Hi,

If you still need help with this do the following:
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post also a fresh dds log.

Blade81
2010-06-24, 21:16
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.