Results 1 to 2 of 2

Thread: Re-directed web searches

  1. #1
    Junior Member
    Join Date
    Apr 2010
    Posts
    2

    Default Re-directed web searches

    Please excuse any break in protocol here as I am first time poster.

    Picked up something recently which began with re-directed searches and escalated to svchost.exe failures.
    Then system became inoperative.
    Many scans with S&D, Zone Alarm AV (primary running resident), Malwarebytes, AdAware, Kaspersky, et all found various Trojans, malware, etc which have been quarentined or removed.
    Most seemed attached to ZA so uninstalled.
    Performance has improved greatly but web searches still being re-directed and occasionally having svchost failures.
    As per your FAQ, have attached Attach.zip and here is DDS report:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Patrik at 13:24:16.50 on Sun 09/26/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2171 [GMT -7:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Microsoft IntelliPoint\IPoint.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Patrik\My Documents\utilities\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    uInternet Settings,ProxyServer = http=
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0346.1\npwinext.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0346.1\npwinext.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    StartupFolder: c:\docume~1\patrik\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\patrik\my documents\utilities\virus removal tool\setup_9.0.0.722_26.09.2010_20-28\startup.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201139400953
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239459829234
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 95344272;95344272 Boot Guard Driver;c:\windows\system32\drivers\95344272.sys [2010-9-26 37392]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-25 64288]
    R1 95344271;95344271;c:\windows\system32\drivers\95344271.sys [2010-9-26 128016]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-25 165584]
    R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-1-9 7040]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 setup_9.0.0.722_26.09.2010_20-28drv;setup_9.0.0.722_26.09.2010_20-28drv;c:\windows\system32\drivers\9534427.sys [2010-9-26 315408]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-25 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355928]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
    S3 ALSysIO;ALSysIO;\??\c:\docume~1\patrik\locals~1\temp\alsysio.sys --> c:\docume~1\patrik\locals~1\temp\ALSysIO.sys [?]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-16 12672]
    S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-1-9 17792]
    S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
    S3 utewmtg5;AVZ Kernel Driver;c:\windows\system32\drivers\utewmtg5.sys [2010-9-26 7168]

    =============== Created Last 30 ================

    2010-09-26 19:34:28 37392 ----a-w- c:\windows\system32\drivers\95344272.sys
    2010-09-26 19:34:28 315408 ----a-w- c:\windows\system32\drivers\9534427.sys
    2010-09-26 19:34:28 128016 ----a-w- c:\windows\system32\drivers\95344271.sys
    2010-09-26 18:44:46 7168 ----a-w- c:\windows\system32\drivers\utewmtg5.sys
    2010-09-25 21:51:44 0 d-----w- c:\windows\Internet Logs
    2010-09-25 15:13:40 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-25 15:13:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-09-25 15:09:19 0 d-----w- c:\docume~1\patrik\applic~1\SUPERAntiSpyware.com
    2010-09-25 15:09:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-09-25 15:09:06 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-09-24 03:07:40 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-09-19 17:44:25 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
    2010-09-19 16:44:29 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
    2010-09-19 16:44:28 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
    2010-09-19 16:44:26 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
    2010-09-19 16:44:23 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
    2010-09-19 16:44:09 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
    2010-09-19 16:44:09 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
    2010-09-19 16:44:06 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
    2010-09-19 16:44:05 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
    2010-09-19 16:44:03 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-09-19 16:44:02 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
    2010-09-19 16:44:00 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
    2010-09-19 16:42:55 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
    2010-09-19 16:42:49 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
    2010-09-19 16:42:42 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
    2010-09-19 16:42:28 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
    2010-09-19 16:42:19 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
    2010-09-19 16:42:12 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
    2010-09-19 16:42:11 31232 ----a-w- c:\windows\system32\dllcache\weitekp9.sys
    2010-09-19 16:42:10 41600 ----a-w- c:\windows\system32\dllcache\weitekp9.dll
    2010-09-19 16:42:03 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
    2010-09-19 16:42:02 23615 ----a-w- c:\windows\system32\dllcache\wch7xxnt.sys
    2010-09-19 16:42:00 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
    2010-09-19 16:40:58 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
    2010-09-19 16:39:57 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
    2010-09-19 16:38:59 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
    2010-09-19 16:37:59 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
    2010-09-19 16:36:59 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
    2010-09-19 16:35:57 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
    2010-09-19 16:34:58 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
    2010-09-19 16:33:59 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
    2010-09-19 16:32:59 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
    2010-09-19 16:31:58 91136 ----a-w- c:\windows\system32\dllcache\kswdmcap.ax
    2010-09-19 16:30:58 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
    2010-09-19 16:29:59 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll
    2010-09-19 16:28:59 16998 ----a-w- c:\windows\system32\dllcache\ex10.sys
    2010-09-19 16:27:59 26698 ----a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
    2010-09-19 16:26:59 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys
    2010-09-19 16:25:59 46464 ----a-w- c:\windows\system32\dllcache\atibt829.sys
    2010-09-18 23:54:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-16 23:47:20 3245 ----a-w- c:\windows\system32\wbem\Outlook_01cb55f980596130.mof

    ==================== Find3M ====================

    2010-09-26 20:14:07 15295 ----a-w- c:\program files\startuplist.txt
    2010-09-26 20:12:29 8880 ----a-w- c:\program files\hijackthis.log
    2010-09-25 00:42:50 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\dllcache\spoolsv.exe
    2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\dllcache\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
    2010-06-10 17:53:28 25600 ----a-r- c:\program files\LeakTest.exe
    2010-05-31 16:07:35 20656301 ----a-w- c:\program files\BotHunter.Windows.1.5.0.482C10BB2692.EXE
    2010-05-31 02:59:29 388608 ----a-w- c:\program files\HijackThis.exe
    2008-01-20 23:18:40 2460 ------w- c:\program files\SuperDAT.log
    2008-01-20 20:08:51 7467056 ------w- c:\program files\spybotsd15.exe
    2008-10-29 22:38:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102920081030\index.dat

    ============= FINISH: 13:25:36.53 ===============

    Again, hopefully I have provided the correct info and in correct format.
    Thank you for any assistance you can provided.
    Puckster

  2. #2
    Junior Member
    Join Date
    Apr 2010
    Posts
    2

    Default Re: Log file

    I have attached the combifix log file for you.
    I assume you would want to see it.
    Thanks.
    puckster

    Edit
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response.
    Please do NOT run 'FIXES' (ComboFix etc) without being asked
    Last edited by tashi; 2010-09-28 at 08:40. Reason: Added links ;-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •