Results 1 to 7 of 7

Thread: Google search results hijacked

  1. #1
    Junior Member
    Join Date
    Oct 2010
    Location
    Miami
    Posts
    3

    Unhappy Google search results hijacked

    This problem is now intermittent, and has been going on for the past 5 days.

    I have already:

    - Scanned my system with numerous (and I mean numerous) antivirus, antimalware, and (I'll admit) registry cleaner (as a last resort...) software.
    - Cleared out all TEMP folders
    - Ran HijackThis, and triple-/quadruple-checked all items
    - Uninstalled/Reinstalled JAVA
    - Restored all system files to a known working date
    - Ran SFC /scannow
    - Uninstalled/Reinstalled all browsers
    - Took a detailed look at my Event Viewer (some errors, but nothing out of the ordinary)

    ...among many, many other attempts at restoring my system.

    AVAST! is currently my a/v. The hijacks started before while I was running MS Security Essentials.

    The original problem hijacked my browser(s) every time I opened a web page, including an attempt at hijacking my homepage.
    I was using Microsoft Security Essentials at the time as my A/V
    I am now currently using AVAST!, as stated above, in addition to using SPYBOT's (had it instaleld before my System Restore. Will install before my next reboot.)

    After scanning my system with various system scanners and removing detected threats, the hijacks became less often (@ 2-3 clicks into search results)

    After restoring my system using System Restore (currently), the hijacks are still less often but still happen every 3-4 clicks on occasion. Sometimes I can go as long as @ 10 clicks before the hijacks happen.

    Hijacked redirect web pages also still appear at random during browsing without any prompting (no links clicked, no typing, etc.). (They are similar to my search result hijack pages, so are these are delayed hijacks?)

    I have a host of information. Please let me know what you want me to paste.

    As requested, here is my DDS log: (Please note that prior to my last scan, I disabled AVAST! For this reason, you will probably not see AVAST! as part of my running processes.)


    Quote Originally Posted by DDS.scr
    DDS (Ver_10-10-10.03) - NTFSx86
    Run by DJ at 9:27:00.12 on Thu 10/21/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3572.2029 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windws\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\USB SR\USBSRService.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k apphost
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\CISVC.EXE
    c:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
    c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\tcpsvcs.exe
    C:\Windows\System32\snmp.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\TouchFreeze\TouchFreeze.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\DJ\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Users\DJ\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.com/
    uWindow Title = Windows Internet Explorer provided by Internet by DJ
    uSearch Bar = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    mURLSearchHooks: H - No File
    BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\iepro\IEProRecorder.dll
    TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [TouchFreeze] c:\program files\touchfreeze\TouchFreeze.exe
    uRun: [Adobe Reader Synchronizer] "c:\program files\adobe\reader 9.0\reader\AdobeCollabSync.exe"
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
    mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
    mRun: [<NO NAME>]
    mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
    mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast!] "c:\program files\avast\ashDisp.exe"
    mRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /QS
    StartupFolder: c:\users\dj\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
    IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Authentication Packages = msv1_0 wvauth

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\dj\appdata\roaming\mozilla\firefox\profiles\ziqf236s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\nptgeqplugin.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\dj\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\dj\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\dj\appdata\roaming\mozilla\firefox\profiles\ziqf236s.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
    FF - plugin: c:\users\dj\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\dj\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\windows\system32\wat\npWatWeb.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 386848]
    R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2010-1-11 82944]
    R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb sr\USBSRService.exe [2010-8-31 242000]
    R3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-31 29472]
    R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-3-31 33832]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2010-3-31 221912]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-21 45648]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\avast\ashServ.exe [2010-10-21 132472]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-14 135664]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast\ashMaiSv.exe [2010-10-21 243064]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast\ashWebSv.exe [2010-10-21 345464]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-2-11 319488]
    S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-2-11 51456]
    S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2010-6-8 124224]
    S3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\drivers\cm_net.sys [2010-9-12 112640]
    S3 cm_ser;C-motech USB Serial Port Driver;c:\windows\system32\drivers\cm_ser.sys [2010-9-12 103680]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-3-31 6114816]
    S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-3-31 47104]
    S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-3-31 49152]
    S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-3-31 38400]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-4-7 12800]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]
    S4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-12-17 812448]
    S4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-12-17 27040]
    S4 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-12-22 77312]

    =============== Created Last 30 ================

    2010-10-21 13:24:59 -------- d-----w- c:\program files\NT Registry Optimizer
    2010-10-21 10:53:10 506368 ----a-w- c:\windows\system32\msxml.dll
    2010-10-21 10:47:56 45648 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-10-21 10:47:53 -------- d-----w- c:\program files\Avast
    2010-10-21 10:24:13 -------- d-----w- c:\progra~2\PC Tools
    2010-10-21 10:17:28 1137360 ----a-w- C:\fsbl2.exe
    2010-10-21 10:01:43 1137360 ----a-w- C:\fsbl.exe
    2010-10-21 02:41:50 -------- d-----w- c:\program files\Window Registry Repair
    2010-10-21 01:52:39 -------- d-----w- c:\users\dj\appdata\roaming\Uniblue
    2010-10-21 01:52:38 -------- dc----w- c:\progra~2\{AD5E3D2B-0DB1-4CD0-9913-0DDF2051E490}
    2010-10-21 01:52:36 -------- d-----w- c:\program files\Uniblue
    2010-10-21 01:51:52 -------- d-----w- c:\users\dj\appdata\local\PackageAware
    2010-10-21 00:13:54 -------- d-----w- c:\program files\Sun
    2010-10-20 01:53:34 -------- d-----w- c:\program files\CCleaner
    2010-10-19 19:53:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-19 19:53:35 -------- d-----w- c:\users\dj\appdata\roaming\Simply Super Software
    2010-10-19 19:53:35 -------- d-----w- c:\program files\Trojan Remover
    2010-10-19 19:53:35 -------- d-----w- c:\progra~2\Simply Super Software
    2010-10-19 19:38:53 -------- d-----w- c:\program files\Ad-Aware
    2010-10-19 17:55:12 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2010-10-19 17:47:30 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2010-10-19 17:47:26 -------- d-----w- c:\program files\SpybotSD
    2010-10-19 17:46:00 -------- d-----w- c:\users\dj\appdata\roaming\TweakNow RegCleaner Professional
    2010-10-19 17:46:00 -------- d-----w- c:\program files\TweakNow
    2010-10-15 09:20:08 -------- d-----w- c:\program files\ESET
    2010-10-15 09:01:14 -------- d-----w- c:\program files\Trend Micro
    2010-09-29 07:00:32 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2010-09-29 02:59:22 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
    2010-09-29 02:59:21 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-28 02:46:01 -------- d-----r- c:\program files\Skype
    2010-09-25 22:47:42 -------- d-----w- c:\users\dj\appdata\roaming\GrabPro
    2010-09-25 22:45:42 -------- d-----w- c:\users\dj\appdata\roaming\MiniDm
    2010-09-25 22:44:44 -------- d-----w- c:\program files\IEPro
    2010-09-25 21:23:21 -------- d-----w- c:\program files\TouchFreeze
    2010-09-25 16:53:58 -------- d-----w- c:\program files\Audacity
    2010-09-22 21:19:23 2614272 ----a-w- c:\windows\explorer - Copy.exe

    ==================== Find3M ====================

    2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

    ============= FINISH: 9:27:37.05 ===============
    As of yet, I have not detected anything out of the ordinary.
    I have removed so many viruses and hijackers in the past without any issue, so this is quite baffling.
    The next step imo is to just nuke and repave.......
    I do not know how this hijacker got on my system. I am usually very *very* careful about what I download and where I browse.

    Please let me know any suggestions. Any thoughts at all will be greatly appreciated.


    Also, please note that I have read "BEFORE you POST".
    =======================

    Please, can anybody help?

    =======================

    Edit
    Waiting for help in the Malware Forum FOUR days or longer?
    Last edited by tashi; 2010-10-23 at 10:13. Reason: Merged two posts, as per forum FAQ, and provided link

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi daggit

    If you still need help please post fresh dds.txt log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    Oct 2010
    Location
    Miami
    Posts
    3

    Default

    I appreciate the reply, but I ran ComboFix on my own since nothing (and I mean nothing could figure out the problem. Not even a complete re-installation of all browsers did the trick.

    In case anyone else is experiencing this issue, ComboFix identified the infected file as such: c:\windows\system32\drivers\rdpencdd.sys


    ComboFix 10-10-22.04 - DJ 10/23/2010 3:34.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3572.2614 [GMT -4:00]
    Running from: c:\users\DJ\Desktop\ComboFix.exe
    Command switches used :: c:\users\DJ\Desktop\cfscript.txt
    AV: avast! antivirus 4.7.1043 [VPS 101022-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    * Created a new restore point

    FILE ::
    "c:\program files\AdvancedVirusRemover\PAVRM.exe"
    "c:\windows\system32\AVR09.exe"
    "c:\windows\system32\winhelper.dll"
    "c:\windows\system32\winupdate.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\explorer.exe
    c:\users\DJ\GoToAssistDownloadHelper.exe (This is a DELL assistant tool that I decided to delete and is not affiliated with the hijacker)

    Infected copy of c:\windows\system32\drivers\rdpencdd.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
    .

    2010-10-23 07:47 . 2010-10-23 12:28 -------- d-----w- c:\users\DJ\AppData\Local\temp
    2010-10-23 07:47 . 2010-10-23 07:47 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-23 07:32 . 2010-10-23 07:32 -------- d-----w- C:\Device
    2010-10-23 06:18 . 2010-10-23 06:54 -------- d-----w- c:\windows\BDOSCAN8
    2010-10-22 09:04 . 2010-10-18 13:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{661CE756-F437-428A-95F1-CF2828265662}\mpengine.dll
    2010-10-22 00:32 . 2010-10-22 00:32 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2010-10-22 00:32 . 2010-10-22 00:32 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2010-10-21 23:46 . 2010-09-15 08:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-21 23:46 . 2010-09-15 08:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-21 23:42 . 2010-10-21 23:42 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-21 13:24 . 2010-10-21 13:24 -------- d-----w- c:\program files\NT Registry Optimizer
    2010-10-21 13:24 . 2010-10-21 13:24 -------- d-----w- c:\program files\ERUNT
    2010-10-21 10:53 . 2004-08-04 11:00 506368 ----a-w- c:\windows\system32\msxml.dll
    2010-10-21 10:48 . 2007-09-06 10:03 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-10-21 10:48 . 2007-09-06 10:02 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-10-21 10:48 . 2007-09-06 10:00 95608 ----a-w- c:\windows\system32\AvastSS.scr
    2010-10-21 10:47 . 2007-09-06 10:09 801144 ----a-w- c:\windows\system32\aswBoot.exe
    2010-10-21 10:47 . 2007-09-06 10:02 45648 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-10-21 10:47 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
    2010-10-21 10:47 . 2010-10-21 10:56 -------- d-----w- c:\program files\Avast
    2010-10-21 10:24 . 2010-10-21 10:24 -------- d-----w- c:\programdata\PC Tools
    2010-10-21 10:17 . 2010-10-21 10:17 1137360 ----a-w- C:\fsbl2.exe
    2010-10-21 10:01 . 2010-10-21 10:01 1137360 ----a-w- C:\fsbl.exe
    2010-10-21 02:41 . 2010-10-21 09:45 -------- d-----w- c:\program files\Window Registry Repair
    2010-10-21 01:52 . 2010-10-21 01:52 -------- d-----w- c:\users\DJ\AppData\Roaming\Uniblue
    2010-10-21 01:52 . 2010-10-21 09:45 -------- dc----w- c:\programdata\{AD5E3D2B-0DB1-4CD0-9913-0DDF2051E490}
    2010-10-21 01:52 . 2010-10-21 01:52 -------- d-----w- c:\program files\Uniblue
    2010-10-21 01:51 . 2010-10-21 01:51 -------- d-----w- c:\users\DJ\AppData\Local\PackageAware
    2010-10-21 00:14 . 2010-10-21 00:14 -------- d-----w- c:\program files\Common Files\Java
    2010-10-21 00:13 . 2010-10-21 00:13 -------- d-----w- c:\program files\Sun
    2010-10-20 01:53 . 2010-10-21 09:45 -------- d-----w- c:\program files\CCleaner
    2010-10-19 19:53 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-19 19:53 . 2010-10-21 09:45 -------- d-----w- c:\program files\Trojan Remover
    2010-10-19 19:53 . 2010-10-19 19:53 -------- d-----w- c:\users\DJ\AppData\Roaming\Simply Super Software
    2010-10-19 19:53 . 2010-10-19 19:53 -------- d-----w- c:\programdata\Simply Super Software
    2010-10-19 19:38 . 2010-10-21 09:45 -------- d-----w- c:\program files\Ad-Aware
    2010-10-19 19:38 . 2010-10-19 19:38 -------- d-----w- c:\programdata\Lavasoft
    2010-10-19 17:55 . 2010-10-19 17:55 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2010-10-19 17:47 . 2010-10-23 00:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-10-19 17:47 . 2010-10-21 13:48 -------- d-----w- c:\program files\SpybotSD
    2010-10-19 17:46 . 2010-10-21 09:45 -------- d-----w- c:\program files\TweakNow
    2010-10-19 17:46 . 2010-10-19 17:46 -------- d-----w- c:\users\DJ\AppData\Roaming\TweakNow RegCleaner Professional
    2010-10-15 09:20 . 2010-10-15 09:20 -------- d-----w- c:\program files\ESET
    2010-10-15 09:01 . 2010-10-15 09:01 -------- d-----w- c:\program files\Trend Micro
    2010-09-29 19:45 . 2010-09-29 19:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-09-29 07:00 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2010-09-29 02:59 . 2010-08-27 05:30 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2010-09-29 02:59 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-28 02:47 . 2010-09-29 04:06 -------- d-----w- c:\users\DJ\AppData\Roaming\skypePM
    2010-09-28 02:46 . 2010-09-29 07:16 -------- d-----w- c:\users\DJ\AppData\Roaming\Skype
    2010-09-28 02:46 . 2010-09-28 02:46 -------- d-----w- c:\program files\Common Files\Skype
    2010-09-28 02:46 . 2010-09-28 02:46 -------- d-----r- c:\program files\Skype
    2010-09-28 02:45 . 2010-09-28 02:46 -------- d-----w- c:\programdata\Skype
    2010-09-25 22:47 . 2010-09-25 22:47 -------- d-----w- c:\users\DJ\AppData\Roaming\GrabPro
    2010-09-25 22:45 . 2010-09-25 22:47 -------- d-----w- c:\users\DJ\AppData\Roaming\MiniDm
    2010-09-25 22:44 . 2010-09-25 22:47 -------- d-----w- c:\program files\IEPro
    2010-09-25 21:23 . 2010-09-25 21:23 -------- d-----w- c:\program files\TouchFreeze
    2010-09-25 16:54 . 2010-09-25 17:08 -------- d-----w- c:\users\DJ\AppData\Roaming\Audacity
    2010-09-25 16:53 . 2010-09-25 16:54 -------- d-----w- c:\program files\Audacity

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-21 05:32 . 2010-09-16 00:52 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-29 06:30 . 2010-08-12 03:15 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 03:15 82944 ----a-w- c:\windows\system32\iccvid.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
    "Google Update"="c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-14 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-01 458844]
    "nwiz"="nwiz.exe" [2009-12-10 1657448]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-15 13797992]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-12-15 92776]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-12-22 1845248]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-06 34232]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-11 795936]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-12-10 1327392]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TdmNotify.lnk]
    backup=c:\windows\pss\TdmNotify.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\users\DJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
    backup=c:\windows\pss\MagicDisc.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^DJ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
    2009-11-15 19:59 158752 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-14 14:09 136176 ----atw- c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDVCHG]
    2010-06-08 20:48 316736 ----a-w- c:\program files\Sprint\Sprint SmartView\RDVCHG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
    2007-08-20 15:58 701736 ----a-w- c:\program files\Registry Mechanic\RMTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
    2010-06-08 21:20 75072 ----a-w- c:\program files\Sprint\Sprint SmartView\SprintSV.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-04-14 14:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Safely Remove]
    2010-05-07 05:47 1498448 ----a-w- c:\program files\USB SR\USBSafelyRemove.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
    2010-01-05 19:04 147328 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
    2007-05-31 13:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
    2010-01-07 18:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 135664]
    R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2010-02-12 319488]
    R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2010-02-12 51456]
    R3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [2010-06-08 124224]
    R3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\DRIVERS\cm_net.sys [2008-05-29 112640]
    R3 cm_ser;C-motech USB Serial Port Driver;c:\windows\system32\DRIVERS\cm_ser.sys [2008-05-29 103680]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
    R3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys [x]
    R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
    R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-01 49152]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-05 38400]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1343400]
    R4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448]
    R4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040]
    R4 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-12-22 77312]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 45648]
    S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
    S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-12-10 386848]
    S2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2010-01-11 82944]
    S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB SR\USBSRService.exe [2010-05-07 242000]
    S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-31 29472]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-10-30 33832]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 14:04]

    2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 14:04]

    2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4214836441-3027634161-1088295581-1001Core.job
    - c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-25 14:09]

    2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4214836441-3027634161-1088295581-1001UA.job
    - c:\users\DJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-25 14:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: kaspersky.com\www
    Trusted Zone: microsoft.com
    Trusted Zone: microsoft.com\*.update
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    FF - ProfilePath - c:\users\DJ\AppData\Roaming\Mozilla\Firefox\Profiles\ziqf236s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\users\DJ\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\DJ\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\Firefox\Profiles\ziqf236s.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\DJ\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
    SafeBoot-dmboot.sys
    SafeBoot-dmio.sys
    SafeBoot-dmload.sys
    SafeBoot-dmadmin
    SafeBoot-dmserver
    SafeBoot-SRService


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(544)
    c:\windows\system32\wvauth.DLL

    - - - - - - - > 'Explorer.exe'(5036)
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Avast\aswUpdSv.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Avast\ashServ.exe
    c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\windows\system32\CISVC.EXE
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Avast\ashWebSv.exe
    c:\program files\Avast\ashMaiSv.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\rundll32.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\conhost.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-23 08:31:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-23 12:31

    Pre-Run: 92,202,270,720 bytes free
    Post-Run: 91,691,880,448 bytes free

    - - End Of File - - 875071248FFFB8BE4D5C4878C14E4D34

  4. #4
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi daggit
    ComboFix SHOULD NOT be used unless requested by a forum helper
    1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
    2. Execute the file TDSSKiller.exe.
    3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
    4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  5. #5
    Junior Member
    Join Date
    Oct 2010
    Location
    Miami
    Posts
    3

    Default

    I understand that it should only be used if requested, but seeing as I had run out of options (uncluding GMER and Kaspersky's TDSS rootkit scanners, both of which turned up nothing) I scoured networking and forum boards for clues.

    Another user on this board was experiencing malware symptoms not unlike mine, and a forum helper did indeed prescribe ComboFix (without prior suggestions for other scanners..)

    Since this topic had been about 6-7 days without reply (I didn't know about Waiting for help in the Malware Forum FOUR days or longer?) I decided to give it a go.

    Though if I can find my TDSS killer log I'll be sure to post it for the benefit of others..

  6. #6
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi daggit

    Need you more help
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  7. #7
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Due to a lack of response, this topic is now closed

    If you still require help, please open a new thread in the Malware Removal forum, include a
    fresh DDS log, and wait for a new helper.

    Your donation helps improving Spybot-S&D!
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •