Google search results hijacked [Archive]

View Full Version : Google search results hijacked

daggit

2010-10-21, 15:40

This problem is now intermittent, and has been going on for the past 5 days.

I have already:

- Scanned my system with numerous (and I mean numerous) antivirus, antimalware, and (I'll admit) registry cleaner (as a last resort...) software.
- Cleared out all TEMP folders
- Ran HijackThis, and triple-/quadruple-checked all items
- Uninstalled/Reinstalled JAVA
- Restored all system files to a known working date
- Ran SFC /scannow
- Uninstalled/Reinstalled all browsers
- Took a detailed look at my Event Viewer (some errors, but nothing out of the ordinary)

...among many, many other attempts at restoring my system.

AVAST! is currently my a/v. The hijacks started before while I was running MS Security Essentials.

The original problem hijacked my browser(s) every time I opened a web page, including an attempt at hijacking my homepage.
I was using Microsoft Security Essentials at the time as my A/V
I am now currently using AVAST!, as stated above, in addition to using SPYBOT's (had it instaleld before my System Restore. Will install before my next reboot.)

After scanning my system with various system scanners and removing detected threats, the hijacks became less often (@ 2-3 clicks into search results)

After restoring my system using System Restore (currently), the hijacks are still less often but still happen every 3-4 clicks on occasion. Sometimes I can go as long as @ 10 clicks before the hijacks happen.

Hijacked redirect web pages also still appear at random during browsing without any prompting (no links clicked, no typing, etc.). (They are similar to my search result hijack pages, so are these are delayed hijacks?)

I have a host of information. Please let me know what you want me to paste.

As requested, here is my DDS log: (Please note that prior to my last scan, I disabled AVAST! For this reason, you will probably not see AVAST! as part of my running processes.)

DDS (Ver_10-10-10.03) - NTFSx86
Run by DJ at 9:27:00.12 on Thu 10/21/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3572.2029 [GMT -4:00]

============== Running Processes ===============

C:\Windws\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB SR\USBSRService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\CISVC.EXE
c:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\DJ\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\DJ\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by Internet by DJ
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\iepro\IEProRecorder.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TouchFreeze] c:\program files\touchfreeze\TouchFreeze.exe
uRun: [Adobe Reader Synchronizer] "c:\program files\adobe\reader 9.0\reader\AdobeCollabSync.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] "c:\program files\avast\ashDisp.exe"
mRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /QS
StartupFolder: c:\users\dj\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\users\dj\appdata\roaming\mozilla\firefox\profiles\ziqf236s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dj\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\dj\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\dj\appdata\roaming\mozilla\firefox\profiles\ziqf236s.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\users\dj\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\dj\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 386848]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2010-1-11 82944]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb sr\USBSRService.exe [2010-8-31 242000]
R3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-31 29472]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-3-31 33832]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2010-3-31 221912]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-21 45648]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast\ashServ.exe [2010-10-21 132472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-14 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast\ashMaiSv.exe [2010-10-21 243064]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast\ashWebSv.exe [2010-10-21 345464]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-2-11 319488]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-2-11 51456]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2010-6-8 124224]
S3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\drivers\cm_net.sys [2010-9-12 112640]
S3 cm_ser;C-motech USB Serial Port Driver;c:\windows\system32\drivers\cm_ser.sys [2010-9-12 103680]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-3-31 6114816]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-3-31 47104]
S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-3-31 49152]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-3-31 38400]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-4-7 12800]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]
S4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-12-17 812448]
S4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-12-17 27040]
S4 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-12-22 77312]

=============== Created Last 30 ================

2010-10-21 13:24:59 -------- d-----w- c:\program files\NT Registry Optimizer
2010-10-21 10:53:10 506368 ----a-w- c:\windows\system32\msxml.dll
2010-10-21 10:47:56 45648 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-10-21 10:47:53 -------- d-----w- c:\program files\Avast
2010-10-21 10:24:13 -------- d-----w- c:\progra~2\PC Tools
2010-10-21 10:17:28 1137360 ----a-w- C:\fsbl2.exe
2010-10-21 10:01:43 1137360 ----a-w- C:\fsbl.exe
2010-10-21 02:41:50 -------- d-----w- c:\program files\Window Registry Repair
2010-10-21 01:52:39 -------- d-----w- c:\users\dj\appdata\roaming\Uniblue
2010-10-21 01:52:38 -------- dc----w- c:\progra~2\{AD5E3D2B-0DB1-4CD0-9913-0DDF2051E490}
2010-10-21 01:52:36 -------- d-----w- c:\program files\Uniblue
2010-10-21 01:51:52 -------- d-----w- c:\users\dj\appdata\local\PackageAware
2010-10-21 00:13:54 -------- d-----w- c:\program files\Sun
2010-10-20 01:53:34 -------- d-----w- c:\program files\CCleaner
2010-10-19 19:53:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-19 19:53:35 -------- d-----w- c:\users\dj\appdata\roaming\Simply Super Software
2010-10-19 19:53:35 -------- d-----w- c:\program files\Trojan Remover
2010-10-19 19:53:35 -------- d-----w- c:\progra~2\Simply Super Software
2010-10-19 19:38:53 -------- d-----w- c:\program files\Ad-Aware
2010-10-19 17:55:12 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-19 17:47:30 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-10-19 17:47:26 -------- d-----w- c:\program files\SpybotSD
2010-10-19 17:46:00 -------- d-----w- c:\users\dj\appdata\roaming\TweakNow RegCleaner Professional
2010-10-19 17:46:00 -------- d-----w- c:\program files\TweakNow
2010-10-15 09:20:08 -------- d-----w- c:\program files\ESET
2010-10-15 09:01:14 -------- d-----w- c:\program files\Trend Micro
2010-09-29 07:00:32 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-29 02:59:22 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-09-29 02:59:21 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 02:46:01 -------- d-----r- c:\program files\Skype
2010-09-25 22:47:42 -------- d-----w- c:\users\dj\appdata\roaming\GrabPro
2010-09-25 22:45:42 -------- d-----w- c:\users\dj\appdata\roaming\MiniDm
2010-09-25 22:44:44 -------- d-----w- c:\program files\IEPro
2010-09-25 21:23:21 -------- d-----w- c:\program files\TouchFreeze
2010-09-25 16:53:58 -------- d-----w- c:\program files\Audacity
2010-09-22 21:19:23 2614272 ----a-w- c:\windows\explorer - Copy.exe

==================== Find3M ====================

2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

============= FINISH: 9:27:37.05 ===============

As of yet, I have not detected anything out of the ordinary.
I have removed so many viruses and hijackers in the past without any issue, so this is quite baffling.
The next step imo is to just nuke and repave.......
I do not know how this hijacker got on my system. I am usually very *very* careful about what I download and where I browse.

Please let me know any suggestions. Any thoughts at all will be greatly appreciated.

Also, please note that I have read "BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288). ;)
=======================

Please, can anybody help?

=======================

Edit
Waiting for help in the Malware Forum FOUR days or longer? (http://forums.spybot.info/showthread.php?t=1137)

peku006

2010-10-29, 09:00

Hi daggit

If you still need help please post fresh dds.txt log

Thanks peku006

daggit

2010-10-31, 06:12

I appreciate the reply, but I ran ComboFix on my own since nothing (and I mean nothing could figure out the problem. Not even a complete re-installation of all browsers did the trick.

In case anyone else is experiencing this issue, ComboFix identified the infected file as such: c:\windows\system32\drivers\rdpencdd.sys

ComboFix 10-10-22.04 - DJ 10/23/2010 3:34.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3572.2614 [GMT -4:00]
Running from: c:\users\DJ\Desktop\ComboFix.exe
Command switches used :: c:\users\DJ\Desktop\cfscript.txt
AV: avast! antivirus 4.7.1043 [VPS 101022-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point

FILE ::
"c:\program files\AdvancedVirusRemover\PAVRM.exe"
"c:\windows\system32\AVR09.exe"
"c:\windows\system32\winhelper.dll"
"c:\windows\system32\winupdate.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
c:\users\DJ\GoToAssistDownloadHelper.exe (This is a DELL assistant tool that I decided to delete and is not affiliated with the hijacker)

Infected copy of c:\windows\system32\drivers\rdpencdd.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-23 07:47 . 2010-10-23 12:28 -------- d-----w- c:\users\DJ\AppData\Local\temp
2010-10-23 07:47 . 2010-10-23 07:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-23 07:32 . 2010-10-23 07:32 -------- d-----w- C:\Device
2010-10-23 06:18 . 2010-10-23 06:54 -------- d-----w- c:\windows\BDOSCAN8
2010-10-22 09:04 . 2010-10-18 13:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{661CE756-F437-428A-95F1-CF2828265662}\mpengine.dll
2010-10-22 00:32 . 2010-10-22 00:32 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-22 00:32 . 2010-10-22 00:32 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-10-21 23:46 . 2010-09-15 08:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-21 23:46 . 2010-09-15 08:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-21 23:42 . 2010-10-21 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-21 13:24 . 2010-10-21 13:24 -------- d-----w- c:\program files\NT Registry Optimizer
2010-10-21 13:24 . 2010-10-21 13:24 -------- d-----w- c:\program files\ERUNT
2010-10-21 10:53 . 2004-08-04 11:00 506368 ----a-w- c:\windows\system32\msxml.dll
2010-10-21 10:48 . 2007-09-06 10:03 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-21 10:48 . 2007-09-06 10:02 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-21 10:48 . 2007-09-06 10:00 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-10-21 10:47 . 2007-09-06 10:09 801144 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-21 10:47 . 2007-09-06 10:02 45648 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-10-21 10:47 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-10-21 10:47 . 2010-10-21 10:56 -------- d-----w- c:\program files\Avast
2010-10-21 10:24 . 2010-10-21 10:24 -------- d-----w- c:\programdata\PC Tools
2010-10-21 10:17 . 2010-10-21 10:17 1137360 ----a-w- C:\fsbl2.exe
2010-10-21 10:01 . 2010-10-21 10:01 1137360 ----a-w- C:\fsbl.exe
2010-10-21 02:41 . 2010-10-21 09:45 -------- d-----w- c:\program files\Window Registry Repair
2010-10-21 01:52 . 2010-10-21 01:52 -------- d-----w- c:\users\DJ\AppData\Roaming\Uniblue
2010-10-21 01:52 . 2010-10-21 09:45 -------- dc----w- c:\programdata\{AD5E3D2B-0DB1-4CD0-9913-0DDF2051E490}
2010-10-21 01:52 . 2010-10-21 01:52 -------- d-----w- c:\program files\Uniblue
2010-10-21 01:51 . 2010-10-21 01:51 -------- d-----w- c:\users\DJ\AppData\Local\PackageAware
2010-10-21 00:14 . 2010-10-21 00:14 -------- d-----w- c:\program files\Common Files\Java
2010-10-21 00:13 . 2010-10-21 00:13 -------- d-----w- c:\program files\Sun
2010-10-20 01:53 . 2010-10-21 09:45 -------- d-----w- c:\program files\CCleaner
2010-10-19 19:53 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-19 19:53 . 2010-10-21 09:45 -------- d-----w- c:\program files\Trojan Remover
2010-10-19 19:53 . 2010-10-19 19:53 -------- d-----w- c:\users\DJ\AppData\Roaming\Simply Super Software
2010-10-19 19:53 . 2010-10-19 19:53 -------- d-----w- c:\programdata\Simply Super Software
2010-10-19 19:38 . 2010-10-21 09:45 -------- d-----w- c:\program files\Ad-Aware
2010-10-19 19:38 . 2010-10-19 19:38 -------- d-----w- c:\programdata\Lavasoft
2010-10-19 17:55 . 2010-10-19 17:55 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-19 17:47 . 2010-10-23 00:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-10-19 17:47 . 2010-10-21 13:48 -------- d-----w- c:\program files\SpybotSD
2010-10-19 17:46 . 2010-10-21 09:45 -------- d-----w- c:\program files\TweakNow
2010-10-19 17:46 . 2010-10-19 17:46 -------- d-----w- c:\users\DJ\AppData\Roaming\TweakNow RegCleaner Professional
2010-10-15 09:20 . 2010-10-15 09:20 -------- d-----w- c:\program files\ESET
2010-10-15 09:01 . 2010-10-15 09:01 -------- d-----w- c:\program files\Trend Micro
2010-09-29 19:45 . 2010-09-29 19:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-29 07:00 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-29 02:59 . 2010-08-27 05:30 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-29 02:59 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 02:47 . 2010-09-29 04:06 -------- d-----w- c:\users\DJ\AppData\Roaming\skypePM
2010-09-28 02:46 . 2010-09-29 07:16 -------- d-----w- c:\users\DJ\AppData\Roaming\Skype
2010-09-28 02:46 . 2010-09-28 02:46 -------- d-----w- c:\program files\Common Files\Skype
2010-09-28 02:46 . 2010-09-28 02:46 -------- d-----r- c:\program files\Skype
2010-09-28 02:45 . 2010-09-28 02:46 -------- d-----w- c:\programdata\Skype
2010-09-25 22:47 . 2010-09-25 22:47 -------- d-----w- c:\users\DJ\AppData\Roaming\GrabPro
2010-09-25 22:45 . 2010-09-25 22:47 -------- d-----w- c:\users\DJ\AppData\Roaming\MiniDm
2010-09-25 22:44 . 2010-09-25 22:47 -------- d-----w- c:\program files\IEPro
2010-09-25 21:23 . 2010-09-25 21:23 -------- d-----w- c:\program files\TouchFreeze
2010-09-25 16:54 . 2010-09-25 17:08 -------- d-----w- c:\users\DJ\AppData\Roaming\Audacity
2010-09-25 16:53 . 2010-09-25 16:54 -------- d-----w- c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 05:32 . 2010-09-16 00:52 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 06:30 . 2010-08-12 03:15 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-12 03:15 82944 ----a-w- c:\windows\system32\iccvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Google Update"="c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-14 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-01 458844]
"nwiz"="nwiz.exe" [2009-12-10 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-15 13797992]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-12-15 92776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-12-22 1845248]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-06 34232]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-11 795936]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-12-10 1327392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TdmNotify.lnk]
backup=c:\windows\pss\TdmNotify.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\users\DJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2009-11-15 19:59 158752 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-14 14:09 136176 ----atw- c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDVCHG]
2010-06-08 20:48 316736 ----a-w- c:\program files\Sprint\Sprint SmartView\RDVCHG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2007-08-20 15:58 701736 ----a-w- c:\program files\Registry Mechanic\RMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2010-06-08 21:20 75072 ----a-w- c:\program files\Sprint\Sprint SmartView\SprintSV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-04-14 14:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Safely Remove]
2010-05-07 05:47 1498448 ----a-w- c:\program files\USB SR\USBSafelyRemove.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2010-01-05 19:04 147328 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 13:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 18:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 135664]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2010-02-12 319488]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2010-02-12 51456]
R3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [2010-06-08 124224]
R3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\DRIVERS\cm_net.sys [2008-05-29 112640]
R3 cm_ser;C-motech USB Serial Port Driver;c:\windows\system32\DRIVERS\cm_ser.sys [2008-05-29 103680]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
R3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys [x]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-01 49152]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-05 38400]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1343400]
R4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448]
R4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040]
R4 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-12-22 77312]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 45648]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-12-10 386848]
S2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2010-01-11 82944]
S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB SR\USBSRService.exe [2010-05-07 242000]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-31 29472]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-10-30 33832]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 14:04]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 14:04]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4214836441-3027634161-1088295581-1001Core.job
- c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-25 14:09]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4214836441-3027634161-1088295581-1001UA.job
- c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-25 14:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.update
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\DJ\AppData\Roaming\Mozilla\Firefox\Profiles\ziqf236s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\DJ\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\DJ\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\Firefox\Profiles\ziqf236s.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\wvauth.DLL

- - - - - - - > 'Explorer.exe'(5036)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Avast\aswUpdSv.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Avast\ashServ.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\windows\system32\CISVC.EXE
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Avast\ashWebSv.exe
c:\program files\Avast\ashMaiSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
.
**************************************************************************
.
Completion time: 2010-10-23 08:31:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-23 12:31

Pre-Run: 92,202,270,720 bytes free
Post-Run: 91,691,880,448 bytes free

- - End Of File - - 875071248FFFB8BE4D5C4878C14E4D34

peku006

2010-10-31, 10:20

Hi daggit

ComboFix SHOULD NOT be used unless requested by a forum helper

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Thanks peku006

daggit

2010-10-31, 15:32

I understand that it should only be used if requested, but seeing as I had run out of options (uncluding GMER and Kaspersky's TDSS rootkit scanners, both of which turned up nothing) I scoured networking and forum boards for clues.

Another user on this board was experiencing malware symptoms not unlike mine, and a forum helper did indeed prescribe ComboFix (without prior suggestions for other scanners..)

Since this topic had been about 6-7 days without reply (I didn't know about Waiting for help in the Malware Forum FOUR days or longer? (http://forums.spybot.info/showthread.php?t=1137)) I decided to give it a go.

Though if I can find my TDSS killer log I'll be sure to post it for the benefit of others..

peku006

2010-11-02, 09:17

Hi daggit

Need you more help

peku006

2010-11-08, 14:51

Due to a lack of response, this topic is now closed

If you still require help, please open a new thread in the Malware Removal forum (http://forums.spybot.info/forumdisplay.php?f=22), include a
fresh DDS log, and wait for a new helper.

Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)