PDA

View Full Version : Google-Redirect/Happili.com



RodneyCPhT
2012-04-27, 23:24
I suspect I've been infected with Google-redirect virus since all clicks on Google search results take me to either happili.com or some other website trying to sell something. Unfortunately Spybot doesnt detect any spyware, Avira antivirus doesnt detect trojans HOWEVER from time to time it DOES detect trojans and cleans them (to find some new ones the following day). Recently computer crashes, freezes, or runs extremely slowly AT TIMES (not always). Secure conections (https) usually dont work or dont display page after a secure log in. Things I did and later found out I shuld have not done: ran TDSSkiller, FixTDSS (from Norton), and NPE (also from Norton). No solution. Please HELP! :thanks:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sop-student at 15:48:53 on 2012-04-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.424 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD11\PDVD11Serv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Codec-V: {11111111-1111-1111-1111-110011041135} - c:\program files\codec-v\Codec-V.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veehd Plugin: {32ea9cd0-5187-4fe3-b989-b4d1408d2802} - c:\program files\veehd plugin\tbunsy54.tmp\tbcore3.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [Facebook Update] "c:\documents and settings\sop-student\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Update] rundll32.exe "c:\documents and settings\sop-student\application data\amazon\amazon\vmvsz.dll",DllRegisterServer
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl11] c:\program files\cyberlink\powerdvd11\PDVD11Serv.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Update] rundll32.exe "c:\documents and settings\sop-student\application data\amazon\amazon\vmvsz.dll",DllRegisterServer
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: cvslearnet.com\www
Trusted Zone: intuit.com\ttlc
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity1.acast.nova.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206144652075
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215373103515
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://prometheus.umaryland.edu/sre/Downloads/ICSScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{258CEDE0-86E9-4568-BC27-A7F35A67EAC7} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sop-student\application data\mozilla\firefox\profiles\g1td59wu.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\sop-student\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-2-10 36000]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/01/07 21:20:00];c:\program files\cyberlink\powerdvd11\common\navfilter\000.fcl [2011-10-18 77296]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-2-10 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-2-10 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-2-10 74640]
R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\CLHNServiceForPowerDVD.exe [2012-1-7 83240]
R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSMonitorService.exe [2012-1-7 75048]
R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSServerForPDVD11.exe [2012-1-7 292136]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\ntk_PowerDVD.sys [2012-1-7 71664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-23 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-4-17 26400]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-25 19:35:53 -------- d-----w- c:\documents and settings\sop-student\application data\ElevatedDiagnostics
2012-04-17 15:57:10 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-04-17 15:46:31 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-04-17 15:28:55 -------- d--h--w- c:\windows\PIF
2012-04-13 19:28:17 -------- d-----w- c:\documents and settings\sop-student\application data\DDMSettings
2012-04-11 20:40:16 -------- d-----w- c:\program files\iPod
2012-04-09 19:46:32 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\NPE
2012-04-09 19:46:32 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-04-09 15:08:27 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-04-09 15:07:13 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\Codec-V
2012-04-09 15:07:10 -------- d-----w- c:\program files\Codec-V
2012-04-09 15:07:01 -------- d-----w- C:\codec-info
2012-04-09 15:06:52 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-04-02 14:13:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 05:15:34 -------- d-----w- c:\documents and settings\all users\application data\Graboid Inc
2012-03-30 05:15:23 -------- d-----w- c:\documents and settings\sop-student\local settings\application data\Geckofx
2012-03-30 05:13:26 -------- d-----w- c:\program files\VideoLAN
2012-03-30 05:13:05 -------- d-----w- c:\program files\Graboid
.
==================== Find3M ====================
.
2012-04-14 10:01:10 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:50:53.71 ===============

ken545
2012-04-28, 03:24
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png




Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

RodneyCPhT
2012-04-28, 07:10
:cleaning:

Thanks for the quick response. I do understand the risks of the fix. I created a backup registry as per "Before you post". Here are the 2 log reports (also attached as zip files):


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-27 23:00:33
-----------------------------
23:00:33.640 OS Version: Windows 5.1.2600 Service Pack 3
23:00:33.640 Number of processors: 2 586 0xE08
23:00:33.640 ComputerName: RODNEYSLAPTOP UserName: sop-student
23:00:34.359 Initialize success
23:04:18.109 AVAST engine defs: 12042701
23:04:42.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:04:42.812 Disk 0 Vendor: TOSHIBA_MK8032GSX AS112D Size: 76319MB BusType: 3
23:04:42.828 Disk 0 MBR read successfully
23:04:42.828 Disk 0 MBR scan
23:04:43.031 Disk 0 Windows XP default MBR code
23:04:43.031 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
23:04:43.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76230 MB offset 176715
23:04:43.156 Disk 0 scanning sectors +156296385
23:04:43.281 Disk 0 scanning C:\WINDOWS\system32\drivers
23:05:13.375 Service scanning
23:05:46.828 Modules scanning
23:05:55.125 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
23:05:58.203 Disk 0 trace - called modules:
23:05:58.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
23:05:58.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ef6ab8]
23:05:58.265 3 CLASSPNP.SYS[f76befd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f21940]
23:05:58.875 AVAST engine scan C:\WINDOWS
23:06:24.343 AVAST engine scan C:\WINDOWS\system32
23:12:24.859 AVAST engine scan C:\WINDOWS\system32\drivers
23:12:55.593 AVAST engine scan C:\Documents and Settings\sop-student
23:27:58.671 AVAST engine scan C:\Documents and Settings\All Users
23:30:07.578 Scan finished successfully
23:30:54.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\sop-student\Desktop\MBR.dat"
23:30:54.765 The log file has been saved successfully to "C:\Documents and Settings\sop-student\Desktop\Post3_aswMBR.txt"


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.28.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
sop-student :: RODNEYSLAPTOP [administrator]

4/27/2012 11:35:28 PM
mbam-log-2012-04-27 (23-35-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213832
Time elapsed: 12 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

Registry Keys Detected: 13
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Program Files\Codec-V\Codec-V.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
C:\Documents and Settings\sop-student\Application Data\Amazon\Amazon\vmvsz.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

(end)

ken545
2012-04-28, 12:32
Good Morning,

Lots of bad stuff was removed by Malwarebytes but there may be more lurking that we cant see.

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

C:\WINDOWS\System32\DLA\DLADResN.SYS<--This file

If the site is busy you can try this one
http://virusscan.jotti.org/en




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


Post the link for Virus Total and the Combofix report please. Just want you to know that I will be away until late afternoon today so just hang in, I will be back

Ken :)

RodneyCPhT
2012-04-28, 20:11
Hi Ken, hope you're enjoying your weekend, it is rainny here in Miami, but things are looking better with my PC :bigthumb: Google no longer redirects. You do hear a lot of "click-click-click" when loading pages from search results though.

Some issues I notice after I followed instructions from last post:
(these may or may not be important, but I'll mention them anyway)

1) After making available the hidden files, 2 new files show in my desktop and documents folder: 'Thumbs.db' AND 'LoaderBackup-(2011-04-21).ipd'
Should I take any action/delete/ignore?

2) During combofix scan there was a message about some system files not recognized and being deleted, it asked to insert WIN XP profesional SP3 CD to replace them (which I dont have, system was updated to SP3 via windows update when it was released). While I was trying to find out if I had such CD somewhere, combofix restarted my computer, so I really dont know if these files are really needed or not.

3) should I hide again the system files?

Reports follow:
https://www.virustotal.com/file/25b18fef62395abb1eb4c17d81d9eb31759f6c5dbaa5cdb192949055d69e3071/analysis/1335627884/

combofix log is attached

Thank you,
Rodney.


ComboFix 12-04-28.01 - sop-student 04/28/2012 12:15:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.437 [GMT -4:00]
Running from: c:\documents and settings\sop-student\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\Setup.ilg
c:\documents and settings\sop-student\Application Data\Toolbar4
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\128.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\16.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\19.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\48.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\arrow_refresh.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\basis.xml
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\cache\9bb48ef2097188cd040a04b522ef9b34
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\cog.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\computer_delete.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\Core.js
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\favicon.png
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\icons.bmp
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\info.txt
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\inst.tmp
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\standart_icons.bmp
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\TbHelper2.exe
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\uninstall.exe
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\uninstaller.exe
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\update.exe
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\version.txt
c:\documents and settings\sop-student\Application Data\Toolbar4\{32EA9CD0-5187-4FE3-B989-B4D1408D2802}\your_logo.png
C:\install.exe
c:\program files\Veehd Plugin\tbunsy54.tmp\tbHElper.dll
c:\windows\system32\acelpdec.ax
c:\windows\system32\ativdaxx.ax
c:\windows\system32\ativmvxx.ax
c:\windows\system32\g711codc.ax
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\l3codecx.ax
c:\windows\system32\mpeg2data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\mpg4ds32.ax
c:\windows\system32\msadds32.ax
c:\windows\system32\msscds32.ax
c:\windows\system32\test
c:\windows\system32\TMP292.tmp
c:\windows\system32\urttemp
c:\windows\system32\urttemp\fusion.dll
c:\windows\system32\urttemp\mscoree.dll
c:\windows\system32\urttemp\mscoree.dll.local
c:\windows\system32\urttemp\mscorsn.dll
c:\windows\system32\urttemp\mscorwks.dll
c:\windows\system32\urttemp\msvcr71.dll
c:\windows\system32\urttemp\regtlib.exe
c:\windows\system32\vbicodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\wiasf.ax
c:\windows\system32\wmv8ds32.ax
c:\windows\system32\wmvds32.ax
c:\windows\system32\wstpager.ax
c:\windows\system32\wstrenderer.ax
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-28 06:21 . 2012-04-28 06:21 -------- d-----w- c:\documents and settings\sop-student\Application Data\RealNetworks
2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\documents and settings\sop-student\Application Data\Malwarebytes
2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-28 03:33 . 2012-04-28 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-28 03:33 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 19:45 . 2012-04-27 19:45 -------- d-----w- c:\program files\ERUNT
2012-04-25 19:35 . 2012-04-25 19:35 -------- d-----w- c:\documents and settings\sop-student\Application Data\ElevatedDiagnostics
2012-04-17 15:57 . 2012-04-17 15:57 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-04-17 15:46 . 2012-04-17 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-17 15:28 . 2012-04-17 15:28 -------- d--h--w- c:\windows\PIF
2012-04-13 19:28 . 2012-04-13 19:28 -------- d-----w- c:\documents and settings\sop-student\Application Data\DDMSettings
2012-04-11 20:40 . 2012-04-11 20:40 -------- d-----w- c:\program files\iPod
2012-04-09 19:46 . 2012-04-10 03:23 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\NPE
2012-04-09 19:46 . 2012-04-09 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-04-09 15:08 . 2012-04-09 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2012-04-09 15:07 . 2012-04-09 15:07 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\Codec-V
2012-04-09 15:07 . 2012-04-28 03:49 -------- d-----w- c:\program files\Codec-V
2012-04-09 15:07 . 2012-04-09 15:07 -------- d-----w- C:\codec-info
2012-04-09 15:06 . 2012-04-09 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-04-02 14:13 . 2012-04-14 10:01 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 05:15 . 2012-03-30 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Graboid Inc
2012-03-30 05:15 . 2012-03-30 05:15 -------- d-----w- c:\documents and settings\sop-student\Local Settings\Application Data\Geckofx
2012-03-30 05:13 . 2012-03-30 05:13 -------- d-----w- c:\program files\VideoLAN
2012-03-30 05:13 . 2012-04-02 04:03 -------- d-----w- c:\program files\Graboid
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 10:01 . 2011-05-24 15:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-11 22:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-11 22:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-11 22:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-11 22:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 16:21 . 2012-02-10 15:33 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-15 16:01 . 2010-04-03 13:21 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2010-04-03 13:21 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2004-08-11 22:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-11-14 03:48 . 2011-08-22 18:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2006-07-13 3297280]
"Facebook Update"="c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-03-11 137536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-15 296056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"RemoteControl11"="c:\program files\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-08-24 230696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-19 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD11\\PowerDVD11.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD11\\PDVD11Serv.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD11\\Common\\MediaServer\\CLMSServerForPDVD11.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\sop-student\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2/10/2012 11:33 AM 36000]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/01/07 21:20];c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [10/18/2011 11:28 AM 77296]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/10/2012 11:33 AM 86224]
R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [1/7/2012 10:18 PM 83240]
R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [1/7/2012 10:18 PM 75048]
R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe [1/7/2012 10:18 PM 292136]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD.sys [1/7/2012 10:19 PM 71664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 1:32 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 10:13 AM 253088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2010 1:32 PM 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [4/17/2012 11:57 AM 26400]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 6:00 PM 14336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 10:01]
.
2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-04-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2054321869-1361599035-592008509-1005Core.job
- c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-03-11 16:33]
.
2012-04-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2054321869-1361599035-592008509-1005UA.job
- c:\documents and settings\sop-student\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-03-11 16:33]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 17:32]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-23 17:32]
.
2012-04-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2054321869-1361599035-592008509-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2054321869-1361599035-592008509-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: cvslearnet.com\www
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity1.acast.nova.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://prometheus.umaryland.edu/sre/Downloads/ICSScanner.cab
FF - ProfilePath - c:\documents and settings\sop-student\Application Data\Mozilla\Firefox\Profiles\g1td59wu.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-Locked - (no file)
WebBrowser-{32EA9CD0-5187-4FE3-B989-B4D1408D2802} - c:\program files\Veehd Plugin\tbunsy54.tmp\tbcore3.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 12:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1232)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\XemiComputers\Active Desktop Calendar\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\stsystra.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-28 12:35:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-28 16:35
.
Pre-Run: 32,988,729,344 bytes free
Post-Run: 35,815,710,720 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1D97019E427316CF896AEF1D20676E42

ken545
2012-04-29, 00:26
Hello Rodney,

Those two files on your desktop are fine, they will disappear when you hide files again, but hang off on that for the moment.


Depending on how your manufacturer of your computer set it up you may not need the windows CD for this, just let it run, when its done it will close, there is no report . This will check for and hopefully replace any missing or corrupt windows files

Go Start/Run and type CMD in the command prompt, then type SFC /scannow > ok There is a space needed after C and before /




Then we need to remove this bad entry with Combofix



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::




Folder::
c:\Program Files\iLivid Toolbar


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

RodneyCPhT
2012-04-29, 03:22
Im sorry, but after runing the cmd command I get the following: "Insert your windows xp Service Pack 3" (please see attached screen shot) and advise.

Thank you so much,
Rodney

ken545
2012-04-29, 03:41
Ok go ahead and run Combofix with ghe script

RodneyCPhT
2012-04-29, 04:47
Attached is the last combofix report log after adding the script.
Rodney.

ken545
2012-04-29, 13:06
The Snapshot portion of your Combofix log is showing files that are mismatched in your dllcache folder. On starting your computer, are you getting any error messages that files are missing ?


Click on My computer and then your C: drive, do you see a i386 folder ?


Is your computer running any better, are the redirects gone ?

RodneyCPhT
2012-04-30, 04:07
I just did a restart, and I didnt get any errors, everything looks fine, however Im aware of the mismatched files in the DLL cache.

I do see the i386 folder.
Yes the google search no longer redirects :bigthumb::thanks:

Would you give me any advise or should I adjust any settings in my PC to avoid future infections like this?

ken545
2012-04-30, 11:16
Good Morning,

The reason sfc /scannow asked for the windows disk is because the sourcepath is leading to the disk rather than that folder, if you wanted to fix this, it can be fixed but depending on your system you may be replacing newer files with older ones and this can cause problems. If you wanted to look into this further I can link you to a good windows forum that can help you with this as we just do malware removal on this one.

The best setting to prevent further infections is you, what I mean by that is be careful on what you click on, never never never open any spam email even just to look at it, just delete them.

Malwarebytes is the free version, the Pro version has a protection modual, if you wander into a malicious site by accident you will get a page not found message and a pop up from Malwarebytes that it blocked a potentially malicious site from opening, the cost is minamal, a one time charge for the license, no yearly fee, I have this program on all my systems, but the choice is yours.


Make sure your Java is up to date, go to Start> Control Panel and open Java, go to the about tab and the current version should be Version 6 Update 31 If its not then go to the update and tab and update it,


Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean







Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png



Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

RodneyCPhT
2012-05-01, 05:48
Hi Ken,
I wanna thank you one more time for your help, and for the advise. I guess I can safely now hide back the contents of Windows folder. I updated Java as well.

:rockon:

Rodney.

ken545
2012-05-01, 11:27
:2thumb:


Yes, go ahead and rehide All Files and Folders


Take care,

Ken

ken545
2012-05-05, 13:20
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.