Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mozilla Browser Hijacked - Google Search Results redirected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mozilla Browser Hijacked - Google Search Results redirected

Unread postby ericldauster » January 3rd, 2011, 9:22 pm

It started January 1. I've run HiJack This and parsed the log through the http://hjt.networktechs.com/ log analyzer and followed their instructions.

I've also run MalWareBytes anti-malware software and Symantec and quarantined items they recommended, but the problem persists.

Here's my latest HJT log. Thanks for your help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:20:53 PM, on 1/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: IPS Core Service (IPSSVC) - Unknown owner - C:\WINDOWS\system32\IPSSVC.EXE (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

--
End of file - 4182 bytes

I've tried deleting the two "file missing" entries but HJT can't delete them.

Your advice and help is greatly appreciated.
Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm
Advertisement
Register to Remove

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 5th, 2011, 5:05 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 5th, 2011, 5:11 pm

Hi ericldauster,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Uninstall List
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 6th, 2011, 12:20 pm

Hi deltalima - thanks for your help.

The info you requested:
-----------------------

Access Help
Ad-Aware
Ad-Aware
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.4
Canon IJ Network Tool
Canon MP560 series MP Drivers
Cisco Systems VPN Client 5.0.01.0600
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Full Tilt Poker
Help Center
HiJackThis
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
Ink Art
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo VirtualDrive
iTunes
J2SE Runtime Environment 5.0 Update 17
Jalbum
Java(TM) 6 Update 23
LiveUpdate 3.1 (Symantec Corporation)
Maintenance Manager
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Experience Pack for Tablet PC
Microsoft Ink Desktop
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows XP Tablet PC Edition 2005 Recognizer Pack
mMHouse
Mozilla Firefox (3.6.13)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
PC-Doctor 5 for Windows
Picasa 3
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Rescue and Recovery
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Symantec AntiVirus
System Migration Assistant
Tablet PC Tutorials for Microsoft Windows XP SP2
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Tablet Button Driver
ThinkPad Tablet Shortcut Menu
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
TweakNow PowerPack 2010
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2466076)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wallpapers
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WordPerfect Office X3
XP Themes
Yahoo! Messenger
Yahoo! Software Update
-------------------------------

thanks! - Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 6th, 2011, 3:15 pm

Hi ericldauster,

Please let me know what the Cisco Systems VPN Client software is used for.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 6th, 2011, 3:59 pm

The VPN client is not needed. It was n the computer when I got it.
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 6th, 2011, 4:04 pm

Hi ericldauster,

Security Check
Please download Security Check ... by screen317. Save it to your desktop.
Alternate download site: Link 2
  1. Double click the SecurityCheck.exe icon to begin.
  2. Press the Space Bar when you see the "press any key to continue..." message.
    A Notepad results file will open automatically called checkup.txt
  3. Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
  4. Please copy/paste the entire contents of the checkup.txt file into your next reply.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 6th, 2011, 11:02 pm

Note that beginning today I'm receiving a popup that says "Internet explorer has encountered a problem and needs to close" but I uninstalled Iexplorer several days ago. Pop up is ocurring every 5-10 minutes.

----Here is the Security Check text results----------------

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!

-----

--------------Here is the OTL log results -------------------------

OTL logfile created on: 1/6/2011 5:55:34 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Media Services\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

998.00 Mb Total Physical Memory | 204.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.08 Gb Total Space | 11.77 Gb Free Space | 11.09% Space Free | Partition Type: NTFS

Computer Name: MSRVC-LVB31CY | User Name: Media Services | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Media Services\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\WINDOWS\system32\wisptis.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\TPHDEXLG.exe (Lenovo.)
PRC - C:\WINDOWS\system32\TpShocks.exe (Lenovo.)
PRC - C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe ()
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\tabbtnu.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Media Services\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (SUService) -- c:\program files\lenovo\system update\suservice.exe File not found
SRV - (IPSSVC) -- C:\WINDOWS\System32\IPSSVC.EXE File not found
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (TPHDEXLGSVC) -- C:\WINDOWS\system32\TPHDEXLG.exe (Lenovo.)
SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (AcPrfMgrSvc) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (Lenovo )
SRV - (AcSvc) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (Lenovo )
SRV - (ASRSVC) -- C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe (Lenovo Group Limited)
SRV - (TabletSVC) -- C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe (Lenovo Group Limited)
SRV - (IBMPMSVC) -- C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo)
SRV - (EvtEng) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (S24EventMonitor) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (RegSrvc) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (TVT Scheduler) -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited)
SRV - (TVT Backup Protection Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe ()
SRV - (TVT Backup Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe (Lenovo Group Limited)
SRV - (tvtnetwk) -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe ()
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\System32\DRIVERS\LV302V32.SYS File not found
DRV - (pepifilter) -- C:\WINDOWS\System32\DRIVERS\lv302af.sys File not found
DRV - (MRESP50) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS File not found
DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (MREMP50) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS File not found
DRV - (LVUSBSta) -- C:\WINDOWS\System32\drivers\LVUSBSta.sys File not found
DRV - (LVRS) -- C:\WINDOWS\System32\DRIVERS\lvrs.sys File not found
DRV - (BTWUSB) -- C:\WINDOWS\System32\Drivers\btwusb.sys File not found
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110102.003\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110102.003\NAVENG.SYS (Symantec Corporation)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (tvtfilter) -- C:\WINDOWS\system32\drivers\tvtfilter.sys (Lenovo)
DRV - (pmem) -- C:\WINDOWS\system32\drivers\pmemnt.sys (Microsoft Corporation)
DRV - (Shockprf) -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys (Lenovo.)
DRV - (TPDIGIMN) -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys (Lenovo.)
DRV - (TPPWRIF) -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS ()
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (TSMSMI) -- C:\WINDOWS\system32\drivers\tsmsmi32.sys (Lenovo Group Limited)
DRV - (IBMPMDRV) -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys (Lenovo.)
DRV - (TVTI2C) -- C:\WINDOWS\system32\drivers\tvti2c.sys (Lenovo (United States) Inc.)
DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo (United States) Inc.)
DRV - (e1express) Intel(R) -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)
DRV - (NETw4x32) Intel(R) -- C:\WINDOWS\system32\drivers\NETw4x32.sys (Intel Corporation)
DRV - (Tp4Track) -- C:\WINDOWS\system32\drivers\tp4track.sys (Lenovo Group Limited)
DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS ()
DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.sys ()
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (smihlp) SMI Helper Driver (smihlp) -- C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys (UPEK Inc.)
DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (TVTPktFilter) -- C:\WINDOWS\system32\drivers\tvtpktfilter.sys (Lenovo Group Limited)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (PROCDD) -- C:\WINDOWS\system32\drivers\PROCDD.SYS (Lenovo Group Limited)
DRV - (iviVD) -- C:\WINDOWS\system32\DRIVERS\iviVD.sys (InterVideo)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\tkbtnpn.sys (Lenovo)
DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (atmeltpm) -- C:\WINDOWS\system32\drivers\atmeltpm.sys (Atmel, Inc.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (TwoTrack) -- C:\WINDOWS\system32\drivers\TwoTrack.sys (IBM Corporation)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.viewpoint.com/landing/v38a.html
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.viewpoint.com/landing/v38a.html
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://news.google.com/"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/01 15:16:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/02 16:57:34 | 000,000,000 | ---D | M]

[2008/12/06 22:41:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Media Services\Application Data\Mozilla\Extensions
[2011/01/04 13:11:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Profiles\ihqqjzc5.default\extensions
[2010/07/26 19:42:49 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Profiles\ihqqjzc5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2011/01/04 21:32:32 | 000,001,951 | ---- | M] () -- C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Profiles\ihqqjzc5.default\searchplugins\blekko.xml
[2011/01/04 13:11:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/02 16:57:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2009/11/19 13:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2011/01/02 16:57:15 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 13:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/03/01 21:44:48 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009..\Run: [Transparent] C:\Program Files\TweakNow PowerPack 2010\Transparent.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: DisableCAD = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System: DisableTaskMgr = 1
O15 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\..Trusted Domains: motive.com ([pattta.att] https in Trusted sites)
O15 - HKU\S-1-5-21-1306971765-884188740-1866703110-1009\..Trusted Domains: motive.com ([patttbc.att] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)
O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/30 15:14:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/06 17:49:53 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Media Services\Desktop\OTL.exe
[2011/01/06 17:29:05 | 000,000,000 | ---D | C] -- C:\Inetpub
[2011/01/06 11:09:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Media Services\Recent
[2011/01/04 12:02:50 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/01/04 11:49:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Local Settings\Application Data\Sunbelt Software
[2011/01/04 11:49:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
[2011/01/04 11:48:17 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/01/04 11:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2011/01/04 10:45:45 | 000,000,000 | ---D | C] -- C:\Program Files\Jalbum
[2011/01/04 10:45:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Application Data\JAlbum
[2011/01/04 10:45:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Jalbum
[2011/01/03 17:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Desktop\sndvol32(2)
[2011/01/02 17:32:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Desktop\frameuploads
[2011/01/02 16:57:34 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/02 16:57:34 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/02 16:57:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/02 16:57:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/02 16:57:34 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/02 16:41:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/01/02 13:22:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Start Menu\Programs\HiJackThis
[2011/01/01 17:47:59 | 000,151,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irftp.exe
[2011/01/01 17:47:59 | 000,151,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irftp.exe
[2011/01/01 17:47:59 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irmon.dll
[2011/01/01 17:47:59 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshirda.dll
[2011/01/01 17:47:59 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wshirda.dll
[2011/01/01 15:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/01/01 13:43:44 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Media Services\Start Menu\Programs\Quick Defrag
[2011/01/01 13:25:55 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sst7D.sys
[2010/12/26 13:54:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Media Services\Desktop\music
[2010/12/25 14:09:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2010/12/25 14:08:30 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/12/25 14:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/12/25 14:03:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2010/12/25 14:02:34 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/12/24 14:32:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\XYZ0123456789ABC
[2010/12/24 14:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\lBnKd06300
[2010/12/14 23:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media Services\Desktop\export
[2010/12/14 14:58:49 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/14 14:58:21 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/06 17:49:56 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media Services\Desktop\OTL.exe
[2011/01/06 17:46:06 | 000,879,047 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\SecurityCheck.exe
[2011/01/06 17:28:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/06 17:28:41 | 000,442,194 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/06 17:28:41 | 000,071,964 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/06 17:23:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/04 21:20:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\Internet.lnk
[2011/01/04 13:09:14 | 000,138,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe
[2011/01/04 13:09:14 | 000,138,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sndvol32.exe
[2011/01/04 12:02:45 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/04 11:49:00 | 000,000,892 | ---- | M] () -- C:\Documents and Settings\Media Services\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2011/01/04 11:49:00 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/01/04 10:57:27 | 000,000,050 | ---- | M] () -- C:\Documents and Settings\Media Services\.jalbum-recent-projects.properties
[2011/01/04 10:57:24 | 000,001,097 | ---- | M] () -- C:\Documents and Settings\Media Services\.jalbum-defaults.jap
[2011/01/04 10:46:02 | 000,000,781 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Jalbum.lnk
[2011/01/03 17:26:56 | 000,004,507 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/02 16:57:13 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/02 16:57:13 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/02 16:57:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/02 16:57:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/02 16:57:13 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/02 13:56:46 | 000,025,341 | ---- | M] () -- C:\WINDOWS\System32\PROCDB.INI
[2011/01/02 13:56:21 | 000,000,380 | ---- | M] () -- C:\WINDOWS\System32\IPSCtrl.INI
[2011/01/02 13:24:29 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\Shortcut to HijackThis.lnk
[2011/01/02 13:22:17 | 000,002,002 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\HiJackThis.lnk
[2011/01/01 18:25:25 | 000,000,281 | -HS- | M] () -- C:\boot.ini
[2011/01/01 15:40:30 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Media Services\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/01 15:21:07 | 002,009,382 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2011/01/01 13:26:00 | 000,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sst7D.sys
[2011/01/01 02:56:36 | 000,048,832 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\mooman.jpg
[2010/12/28 19:40:32 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/27 19:49:39 | 000,836,580 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\pg30601-images.mobi
[2010/12/27 11:10:09 | 000,021,860 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\sarah_palin_winking.jpg
[2010/12/25 14:09:31 | 000,001,561 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\iTunes.lnk
[2010/12/25 12:57:32 | 268,266,904 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\510B.mp4
[2010/12/25 12:08:34 | 166,376,196 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\510A.mp4
[2010/12/16 20:04:58 | 000,028,121 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\bedframe.jpg
[2010/12/14 17:10:11 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010/12/14 16:54:12 | 000,287,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/14 11:48:57 | 000,006,598 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\tickets_SFee.cgi.htm
[2010/12/09 12:16:31 | 000,208,373 | ---- | M] () -- C:\Documents and Settings\Media Services\Desktop\Rose.JPG
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/06 17:46:03 | 000,879,047 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\SecurityCheck.exe
[2011/01/04 21:20:08 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\Internet.lnk
[2011/01/04 14:16:00 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/01/04 11:49:00 | 000,000,892 | ---- | C] () -- C:\Documents and Settings\Media Services\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2011/01/04 11:49:00 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/01/04 10:57:27 | 000,000,050 | ---- | C] () -- C:\Documents and Settings\Media Services\.jalbum-recent-projects.properties
[2011/01/04 10:51:02 | 000,001,097 | ---- | C] () -- C:\Documents and Settings\Media Services\.jalbum-defaults.jap
[2011/01/04 10:46:02 | 000,000,781 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Jalbum.lnk
[2011/01/02 13:24:29 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\Shortcut to HijackThis.lnk
[2011/01/02 13:22:17 | 000,002,002 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\HiJackThis.lnk
[2011/01/01 02:56:35 | 000,048,832 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\mooman.jpg
[2010/12/28 21:07:26 | 000,001,561 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\iTunes.lnk
[2010/12/27 21:28:35 | 000,836,580 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\pg30601-images.mobi
[2010/12/27 11:10:07 | 000,021,860 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\sarah_palin_winking.jpg
[2010/12/26 13:55:13 | 166,376,196 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\510A.mp4
[2010/12/25 16:28:33 | 268,266,904 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\510B.mp4
[2010/12/15 13:53:00 | 000,028,121 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\bedframe.jpg
[2010/12/14 11:48:56 | 000,006,598 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\tickets_SFee.cgi.htm
[2010/12/09 12:16:31 | 000,208,373 | ---- | C] () -- C:\Documents and Settings\Media Services\Desktop\Rose.JPG
[2010/02/24 17:16:07 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2008/12/26 17:15:10 | 000,049,152 | ---- | C] () -- C:\Documents and Settings\Media Services\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/09 15:34:59 | 000,000,952 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/04/18 12:25:31 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Media Services\Local Settings\Application Data\fusioncache.dat
[2008/04/17 07:46:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/02/25 12:13:57 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/02/25 11:49:03 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys
[2008/02/25 11:34:16 | 000,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/02/25 11:34:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4860.dll
[2008/02/25 11:31:58 | 000,012,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2008/02/25 11:30:50 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2008/02/25 11:30:42 | 000,106,496 | ---- | C] () -- C:\WINDOWS\stkbtnpn.dll
[2007/07/26 22:37:40 | 000,025,341 | ---- | C] () -- C:\WINDOWS\System32\PROCDB.INI
[2007/07/26 22:37:29 | 000,000,380 | ---- | C] () -- C:\WINDOWS\System32\IPSCtrl.INI
[2007/07/16 10:58:10 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/07/16 10:58:00 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/09/14 08:59:23 | 001,490,999 | ---- | C] () -- C:\WINDOWS\System32\tkbtnpn1.dll
[2006/09/05 14:20:36 | 000,079,400 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2006/04/30 15:36:03 | 000,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/04/30 08:03:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >
-------------

----Here is the OTL EXTRAS text file----------

OTL Extras logfile created on: 1/6/2011 5:55:34 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Media Services\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

998.00 Mb Total Physical Memory | 204.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.08 Gb Total Space | 11.77 Gb Free Space | 11.09% Space Free | Partition Type: NTFS

Computer Name: MSRVC-LVB31CY | User Name: Media Services | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1306971765-884188740-1866703110-1009\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0759CACC-6CF9-4C3C-92C5-39668679AB16}" = Microsoft Ink Desktop
"{0CAD092C-5D1E-48AD-A845-E1EBA9AF1AF8}" = Tablet PC Tutorials for Microsoft Windows XP SP2
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{14081443-583A-4605-BB91-83D38ADAC939}" = Microsoft Windows XP Tablet PC Edition 2005 Recognizer Pack
"{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}" = Cisco Systems VPN Client 5.0.01.0600
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1FBEE61B-F90E-4EE3-AE94-FCB8BD6EC443}" = Ink Art
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26903C89-780A-463E-8CBD-E47A73927254}" = ThinkPad Tablet Button Driver
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{394958C2-8036-4385-81F5-B63F221D0DD0}" = InterVideo VirtualDrive
"{40FFC202-F842-44C7-ACBE-8B0EA690B1A3}" = Microsoft Education Pack for Windows XP Tablet PC Edition
"{41894269-0DD1-4C85-B3DD-1EB41B07621D}" = ThinkVantage Fingerprint Software 5.6
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client
"{50E125D1-88E5-48CE-80AE-98EC9698E639}" = Symantec AntiVirus
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FBD495-DDF6-4C8D-92D6-10261DD6F6A3}" = WordPerfect Office X3
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2DB59F-091A-40B4-958D-1C8264624126}" = ThinkPad Tablet Shortcut Menu
"{9D4491FE-DBA0-4B08-80D9-C6A9F9A63E18}" = Jalbum
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-1033-0000-7760-100000000002}" = Adobe Acrobat 7.0 Professional
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer
"{C12EB29D-9D64-4ACA-84C2-33D8729AABD3}" = Microsoft Experience Pack for Tablet PC
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F151F2B3-0C32-44D3-90E2-E639B8024622}" = Rescue and Recovery
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F705E3E1-A471-426B-9A09-73429F3418EE}" = System Migration Assistant
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 7.0 Professional - V" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"AwayTask" = Maintenance Manager
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"PCMCIAPW" = ThinkPad PC Card Power Policy
"Picasa 3" = Picasa 3
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel(R) PROSet/Wireless Software
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROSet" = Intel(R) PRO Network Connections Drivers
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"TrackPoint" = ThinkPad TrackPoint Driver
"TweakNow PowerPack 2010_is1" = TweakNow PowerPack 2010
"Wdf01001" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/2/2011 5:37:38 PM | Computer Name = MSRVC-LVB31CY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Suspend Thread Action Taken: Blocked Actor Process:
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe (PID 2656) Time: Sunday,
January 02, 2011 1:37:38 PM

Error - 1/2/2011 5:37:38 PM | Computer Name = MSRVC-LVB31CY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Suspend Thread Action Taken: Blocked Actor Process:
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe (PID 2656) Time: Sunday,
January 02, 2011 1:37:38 PM

Error - 1/2/2011 5:37:38 PM | Computer Name = MSRVC-LVB31CY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Suspend Thread Action Taken: Blocked Actor Process:
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe (PID 2656) Time: Sunday,
January 02, 2011 1:37:38 PM

Error - 1/6/2011 9:25:24 PM | Computer Name = MSRVC-LVB31CY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00ad2663.

Error - 1/6/2011 9:29:45 PM | Computer Name = MSRVC-LVB31CY | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2011 9:29:46 PM | Computer Name = MSRVC-LVB31CY | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2011 9:32:55 PM | Computer Name = MSRVC-LVB31CY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00e735e7.

Error - 1/6/2011 9:32:56 PM | Computer Name = MSRVC-LVB31CY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00ad2663.

Error - 1/6/2011 9:44:54 PM | Computer Name = MSRVC-LVB31CY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00ad2663.

Error - 1/6/2011 9:55:52 PM | Computer Name = MSRVC-LVB31CY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00ad2663.

[ System Events ]
Error - 1/4/2011 6:16:47 AM | Computer Name = MSRVC-LVB31CY | Source = iviVD | ID = 262153
Description = The device, \Device\Scsi\iviVD1, did not respond within the timeout
period.

Error - 1/4/2011 12:24:06 PM | Computer Name = MSRVC-LVB31CY | Source = iviVD | ID = 262153
Description = The device, \Device\Scsi\iviVD1, did not respond within the timeout
period.

Error - 1/4/2011 4:06:09 PM | Computer Name = MSRVC-LVB31CY | Source = Service Control Manager | ID = 7000
Description = The IPS Core Service service failed to start due to the following
error: %%2

Error - 1/4/2011 5:53:21 PM | Computer Name = MSRVC-LVB31CY | Source = Service Control Manager | ID = 7000
Description = The IPS Core Service service failed to start due to the following
error: %%2

Error - 1/4/2011 6:18:38 PM | Computer Name = MSRVC-LVB31CY | Source = Service Control Manager | ID = 7000
Description = The IPS Core Service service failed to start due to the following
error: %%2

Error - 1/5/2011 2:15:06 AM | Computer Name = MSRVC-LVB31CY | Source = iviVD | ID = 262153
Description = The device, \Device\Scsi\iviVD1, did not respond within the timeout
period.

Error - 1/5/2011 9:23:12 PM | Computer Name = MSRVC-LVB31CY | Source = iviVD | ID = 262153
Description = The device, \Device\Scsi\iviVD1, did not respond within the timeout
period.

Error - 1/6/2011 11:18:41 AM | Computer Name = MSRVC-LVB31CY | Source = iviVD | ID = 262153
Description = The device, \Device\Scsi\iviVD1, did not respond within the timeout
period.

Error - 1/6/2011 3:02:29 PM | Computer Name = MSRVC-LVB31CY | Source = Service Control Manager | ID = 7000
Description = The IPS Core Service service failed to start due to the following
error: %%2

Error - 1/6/2011 9:23:47 PM | Computer Name = MSRVC-LVB31CY | Source = Service Control Manager | ID = 7000
Description = The IPS Core Service service failed to start due to the following
error: %%2


< End of report >
------------

------------Here is the gmer txt file-------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-06 18:53:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.BB2Z
Running: 9g2j9sgb.exe; Driver: C:\DOCUME~1\MEDIAS~1\LOCALS~1\Temp\uwtirkod.sys


---- System - GMER 1.0.15 ----

SSDT 85DE8A78 ZwAlertResumeThread
SSDT 85DEAA78 ZwAlertThread
SSDT 8607BE30 ZwAllocateVirtualMemory
SSDT 8604F570 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF753587E]
SSDT 85DDFC08 ZwCreateMutant
SSDT 85F20D10 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA42F0350]
SSDT 85DF9D58 ZwFreeVirtualMemory
SSDT 85DDFDA0 ZwImpersonateAnonymousToken
SSDT 85DDFF30 ZwImpersonateThread
SSDT 85D45D30 ZwMapViewOfSection
SSDT 85DDFA80 ZwOpenEvent
SSDT 8469FC10 ZwOpenProcessToken
SSDT 85DF8F30 ZwOpenThreadToken
SSDT 85F71C50 ZwQueryValueKey
SSDT 85E67A90 ZwResumeThread
SSDT 85DF8DB8 ZwSetContextThread
SSDT 85DFAD08 ZwSetInformationProcess
SSDT 85DF8C28 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA42F0580]
SSDT 85DDEE88 ZwSuspendProcess
SSDT 85DF2A78 ZwSuspendThread
SSDT 85E27A90 ZwTerminateProcess
SSDT 85DF6D90 ZwTerminateThread
SSDT 85DF9AA0 ZwUnmapViewOfSection
SSDT 86079E80 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\BTHUSB \Device\000000b3 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000b5 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9A905D20
Device 9A8FE60A

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:192] 861A053C
Thread System [4:196] 861A252D

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd76b5c
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4cd76b5c (not active ControlSet)

---- EOF - GMER 1.0.15 ----
----------

END

thanks!
Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 7th, 2011, 6:24 am

Hi ericldauster,

Symantec AntiVirus

Do you have a subscription for this and are your definitions up to date?

MBRCheck

Please download MBRCheck.exe to your desktop.
  • Double-click on MBRCheck.exe to run it.
  • It will show a Black screen with some information.
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file in you're next reply.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 7th, 2011, 10:05 pm

Yes, my Symantek is licensed and I updated it before scanning a few days ago. The virus definition list says "1/2/2011 rev. 3"


MBRCheck
------------------------------------
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 169):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF79D5000 \WINDOWS\system32\KDCOM.DLL
0xF78E5000 \WINDOWS\system32\BOOTVID.dll
0xF73A6000 ACPI.sys
0xF79D7000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7395000 pci.sys
0xF74D5000 isapnp.sys
0xF78E9000 compbatt.sys
0xF78ED000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A9D000 pciide.sys
0xF7755000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7377000 pcmcia.sys
0xF74E5000 MountMgr.sys
0xF7358000 ftdisk.sys
0xF79D9000 dmload.sys
0xF7332000 dmio.sys
0xF775D000 PartMgr.sys
0xF78F1000 ACPIEC.sys
0xF7A9E000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF74F5000 VolSnap.sys
0xF7505000 iviVD.sys
0xF731A000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7302000 atapi.sys
0xF7244000 iaStor.sys
0xF7515000 disk.sys
0xF7525000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7224000 fltmgr.sys
0xF7212000 sr.sys
0xF7535000 Lbd.sys
0xF7545000 PxHelp20.sys
0xF71FB000 KSecDD.sys
0xF716E000 Ntfs.sys
0xF7141000 NDIS.sys
0xF7125000 Apsx86.sys
0xF7765000 ApsHM86.sys
0xF7555000 ohci1394.sys
0xF7565000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF710B000 Mup.sys
0xF7595000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF75D5000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF2F02000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF2EEE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF784D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF2ECA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7855000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF2EA2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF2C87000 \SystemRoot\system32\DRIVERS\NETw4x32.sys
0xF2C73000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF75F5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A41000 \SystemRoot\system32\DRIVERS\tkbtnpn.sys
0xF7605000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF785D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7615000 \SystemRoot\system32\DRIVERS\tp4track.sys
0xF7625000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF2BFC000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7865000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF37BE000 \SystemRoot\system32\DRIVERS\serial.sys
0xF636D000 \SystemRoot\system32\DRIVERS\wacompen.sys
0xF786D000 \SystemRoot\system32\DRIVERS\atmeltpm.sys
0xF6369000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF79D1000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF2BDE000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF7875000 \SystemRoot\system32\DRIVERS\tvtpktfilter.sys
0xF7B7E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF37AE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF70DF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF2BC7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF379E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF378E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF787D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF2BB6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF377E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7885000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF788D000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF2B86000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF376E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7895000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF70CB000 \SystemRoot\system32\drivers\iviaspi.sys
0xF375E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF374E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF2B63000 \SystemRoot\system32\DRIVERS\ks.sys
0xF789D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF78A5000 \SystemRoot\system32\DRIVERS\psadd.sys
0xF78AD000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0xF7A43000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF2B05000 \SystemRoot\system32\DRIVERS\update.sys
0xF70C3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7645000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF75B5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A49000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA9ECC000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA9EA8000 \SystemRoot\system32\drivers\portcls.sys
0xAA67E000 \SystemRoot\system32\drivers\drmk.sys
0xA9DF0000 \SystemRoot\system32\drivers\AEAudio.sys
0xA9DBC000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA9854000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA97A1000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77A5000 \SystemRoot\System32\Drivers\Modem.SYS
0xA87AC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA68EA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA68E2000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA4897000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xA4875000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA4861000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xA4AE5000 \SystemRoot\System32\Drivers\tcusb.sys
0xA4BFC000 \SystemRoot\System32\Drivers\BTHUSB.sys
0xA398F000 \SystemRoot\System32\Drivers\bthport.sys
0xA3C68000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0xA41FD000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0xA31A6000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x9C727000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B35000 \SystemRoot\System32\Drivers\Null.SYS
0x9C45F000 \SystemRoot\System32\Drivers\Beep.SYS
0xA1A55000 \SystemRoot\System32\drivers\vga.sys
0x9C44F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A19000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77C5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF783D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA32A4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9C3C2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9C369000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9C32E000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x9C308000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA65E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9C2E0000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9C8ED000 \SystemRoot\system32\DRIVERS\arp1394.sys
0x9C2BE000 \SystemRoot\System32\drivers\afd.sys
0xF76B5000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA1000000 \SystemRoot\system32\DRIVERS\TSMSMI32.SYS
0xF7775000 \SystemRoot\System32\drivers\TSMAPIP.SYS
0xF77BD000 \SystemRoot\System32\drivers\Tppwrif.sys
0x9C23C000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x9C211000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9C1A1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7A73000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xAA64E000 \SystemRoot\System32\Drivers\Fips.SYS
0x9C143000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9C126000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA609E000 \SystemRoot\System32\drivers\ANC.SYS
0xA1BE0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9C068000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9C704000 \SystemRoot\System32\drivers\Dxapi.sys
0xA8D2A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B24000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1F2000 \SystemRoot\System32\igxpdx32.DLL
0xAA5EE000 \SystemRoot\system32\DRIVERS\tvtfilter.sys
0xA0FF8000 \??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA935C000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF34A2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF349E000 \SystemRoot\system32\DRIVERS\s24trans.sys
0x9BD6B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA8D6A000 \SystemRoot\system32\DRIVERS\PROCDD.SYS
0x9BCB3000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0x9BD57000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA3438000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0x9BB43000 \SystemRoot\system32\DRIVERS\srv.sys
0x9B6ED000 \SystemRoot\system32\drivers\wdmaud.sys
0x9B8A3000 \SystemRoot\system32\drivers\sysaudio.sys
0x9B464000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110102.003\navex15.sys
0x9B450000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110102.003\naveng.sys
0x9B3C8000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
1376 C:\WINDOWS\system32\smss.exe
1448 csrss.exe
1476 C:\WINDOWS\system32\winlogon.exe
1520 C:\WINDOWS\system32\services.exe
1532 C:\WINDOWS\system32\lsass.exe
1704 C:\WINDOWS\system32\ibmpmsvc.exe
1732 C:\WINDOWS\system32\svchost.exe
1796 svchost.exe
1844 C:\WINDOWS\system32\svchost.exe
2004 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
2040 svchost.exe
276 svchost.exe
500 C:\Program Files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
944 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1000 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1112 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1896 C:\WINDOWS\system32\spoolsv.exe
1960 svchost.exe
212 svchost.exe
376 C:\Program Files\Symantec AntiVirus\DefWatch.exe
436 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
800 C:\Program Files\Java\jre6\bin\jqs.exe
1332 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1400 C:\WINDOWS\system32\svchost.exe
1440 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
1452 C:\WINDOWS\system32\TPHDEXLG.exe
1536 C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
3108 alg.exe
3344 C:\WINDOWS\system32\wisptis.exe
3444 C:\WINDOWS\system32\tabbtnu.exe
3548 C:\WINDOWS\explorer.exe
2548 C:\WINDOWS\system32\TpShocks.exe
2568 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
4412 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
4636 unsecapp.exe
2776 wmiprvse.exe
4132 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
4884 C:\Program Files\Mozilla Firefox\firefox.exe
2936 C:\Program Files\Mozilla Firefox\plugin-container.exe
1936 C:\Documents and Settings\Media Services\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHIHTS542512K9SA00, Rev: BB2ZC3HP

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: C0AF6DDD6472E062DEF032281F5E15B058D62252


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
-------------------------------

RootKit Unhooker

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
0x03200000 Hidden Image-->interop.softkeyboardinterface.dll [ EPROCESS 0x845AAB30 ] PID: 500, 28672 bytes
0x031F0000 Hidden Image-->softkeyboardlogic.dll [ EPROCESS 0x845AAB30 ] PID: 500, 36864 bytes
0x03250000 Hidden Image-->sklibrary.dll [ EPROCESS 0x845AAB30 ] PID: 500, 118784 bytes
0x03510000 Hidden Image-->kbcresources.dll [ EPROCESS 0x845AAB30 ] PID: 500, 53248 bytes
0x8620553C Unknown thread object [ ETHREAD 0x86162DA8 ] TID: 192, 600 bytes
0x8620752D Unknown thread object [ ETHREAD 0x86162B30 ] TID: 196, 600 bytes
0x8620523F Unknown thread object [ ETHREAD 0x861628B8 ] , 600 bytes
0x8620128A Unknown page with executable code, 3446 bytes
0x862023CC Unknown page with executable code, 3124 bytes
0x86207143 Unknown page with executable code, 3773 bytes
0x8620530A Unknown page with executable code, 3318 bytes
0xF74F5000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
---------------

END

thx deltalima
Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 8th, 2011, 1:08 pm

Hi ericldauster,

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 8th, 2011, 9:59 pm

ComboFix ran successfully, here's the log:

-------------
ComboFix 11-01-08.02 - Media Services 01/08/2011 17:00:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.232 [GMT -8:00]
Running from: c:\documents and settings\Media Services\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst7D.sys
c:\windows\system32\spool\prtprocs\w32x86\4307C.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sst7D
-------\Service_sst7D


((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
.

2011-01-07 01:29 . 2011-01-07 01:29 -------- d-----w- C:\Inetpub
2011-01-04 22:16 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-04 20:02 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-04 19:49 . 2011-01-04 19:49 -------- d-----w- c:\documents and settings\Media Services\Local Settings\Application Data\Sunbelt Software
2011-01-04 19:49 . 2011-01-04 19:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-04 19:48 . 2011-01-04 19:48 -------- d-----w- c:\program files\Lavasoft
2011-01-04 18:45 . 2011-01-04 18:46 -------- d-----w- c:\program files\Jalbum
2011-01-04 18:45 . 2011-01-04 18:45 -------- d-----w- c:\documents and settings\Media Services\Application Data\JAlbum
2011-01-03 22:50 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-01-03 00:57 . 2011-01-03 00:57 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-03 00:57 . 2011-01-03 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 00:57 . 2011-01-03 00:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-03 00:41 . 2011-01-03 00:57 -------- d-----w- c:\program files\Common Files\Java
2011-01-02 21:22 . 2011-01-02 21:22 388096 ----a-r- c:\documents and settings\Media Services\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-02 01:47 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
2011-01-02 01:47 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2011-01-02 01:47 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
2011-01-02 01:47 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-01-02 01:47 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
2011-01-02 01:47 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2011-01-01 21:25 . 2011-01-01 21:25 0 ----a-w- c:\windows\system32\drivers\sst7D.tmp
2010-12-25 22:08 . 2010-12-25 22:08 -------- d-----w- c:\program files\iPod
2010-12-25 22:08 . 2010-12-25 22:09 -------- d-----w- c:\program files\iTunes
2010-12-24 22:32 . 2010-12-24 22:32 -------- d-----w- c:\windows\XYZ0123456789ABC
2010-12-24 22:14 . 2010-12-24 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\lBnKd06300
2010-12-14 22:58 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-14 22:58 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-04 21:09 . 2003-03-31 15:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2011-01-04 20:02 . 2010-02-27 00:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2006-04-30 23:11 81920 ------w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-04-30 22:51 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-04-30 22:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2006-04-30 22:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-03 12:25 . 2006-04-30 22:51 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-04-30 22:52 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-04-30 22:51 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-04-30 22:51 1853312 ------w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Transparent"="c:\program files\TweakNow PowerPack 2010\Transparent.exe" [2010-03-14 24320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ------w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 06:17 89600 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ------w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ------w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 10:08 483328 ------w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CD Autorun]
2010-03-14 06:25 429312 ------w- c:\program files\TweakNow PowerPack 2010\CDAuto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2007-03-28 17:32 243248 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 23:30 249856 ------w- c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 23:30 81920 ------w- c:\program files\Common Files\Installshield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-14 01:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-17 09:30 5244216 ------w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2007-09-05 16:18 200704 ------w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2005-12-01 07:45 77892 ------w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-04-09 07:23 1015808 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2007-02-08 21:19 536576 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 03:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"tvtnetwk"=2 (0x2)
"TVT Scheduler"=2 (0x2)
"TVT Backup Service"=2 (0x2)
"TVT Backup Protection Service"=2 (0x2)
"ThinkVantage Registry Monitor Service"=2 (0x2)
"TabletSVC"=2 (0x2)
"SUService"=2 (0x2)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ASRSVC"=2 (0x2)
"AcSvc"=2 (0x2)
"AcPrfMgrSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/4/2011 12:02 PM 64288]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
R1 TSMSMI;Lenovo System Interface Driver;c:\windows\system32\drivers\tsmsmi32.sys [2/25/2008 11:33 AM 6656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 1:05 AM 1389400]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 10:10 PM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 1:11 PM 569344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 2:02 PM 102448]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [5/10/2007 8:34 AM 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 3:59 PM 30336]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2/25/2008 11:18 AM 14208]
S3 Normandy;Normandy SR2; [x]
S4 ASRSVC;ASR Service;c:\program files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe [2/25/2008 11:33 AM 73728]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416]
S4 TabletSVC;TABLET Service;c:\program files\ThinkPad\Tablet Shortcut\TSMService.exe [2/25/2008 11:33 AM 53248]
.
Contents of the 'Scheduled Tasks' folder

2011-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2008-10-08 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2006-04-30 00:12]

2010-12-15 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-02-25 16:18]
.
.
------- Supplementary Scan -------
.
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Media Services\Application Data\Mozilla\Firefox\Profiles\ihqqjzc5.default\
FF - prefs.js: browser.search.selectedEngine - blekko
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-0y3Wnvbr - c:\docume~1\ALLUSE~1\APPLIC~1\0y3Wnvbr.exe
MSConfigStartUp-5FSLeqhPqleMP - c:\docume~1\ALLUSE~1\APPLIC~1\5FSLeqhPqleMP.exe
MSConfigStartUp-j6cMyBGKpIApt - c:\docume~1\ALLUSE~1\APPLIC~1\j6cMyBGKpIApt.exe
MSConfigStartUp-LplGSZtZnZZUw - c:\docume~1\ALLUSE~1\APPLIC~1\LplGSZtZnZZUw.exe
MSConfigStartUp-qDvV2xdr - c:\docume~1\ALLUSE~1\APPLIC~1\qDvV2xdr.exe
MSConfigStartUp-RockMelt Update - c:\documents and settings\Media Services\Local Settings\Application Data\RockMelt\Update\RockMeltUpdate.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-TxIgLSBpYUyoPp - c:\documents and settings\All Users\Application Data\TxIgLSBpYUyoPp.exe
MSConfigStartUp-UFPlZYOC411Q - c:\docume~1\ALLUSE~1\APPLIC~1\UFPlZYOC411Q.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-08 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Transparent = c:\program files\TweakNow PowerPack 2010\Transparent.exe 231 231?\?????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lavasoft Kernexplorer]
"ImagePath"="\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1476)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'explorer.exe'(800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\windows\system32\TpShocks.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-08 17:52:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-09 01:51

Pre-Run: 12,256,428,032 bytes free
Post-Run: 14,391,963,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 472411F6C9815CA8ED0272E2612DA88A
--------------------------------

thx, let me know what's next.
-Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 8th, 2011, 10:10 pm

And the browser redirects are still occurring. No change.

Eric
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby deltalima » January 9th, 2011, 7:42 am

Hi ericldauster,

GooredFix
Please download GooredFix...by jpshortstuff. Save it to your desktop.
Alternate download site.
  1. Ensure all Firefox windows are closed.
  2. Double-click GooredFix.exe to run it.
  3. When prompted to run the scan, click Yes.
    GooredFix will check for infections, and then a log file will open... named "GooredFix.txt".
  4. Please copy and paste the contents of the GooredFix.txt file in your next reply.

TDSSKiller

  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Important!: Run this fix once and once only.
  • Double click the TDSSKiller icon on you're desktop then click Start scan.
  • A box will appear saying System scan completed.
  • If any Malicious objects are found click Cure > Continue > Reboot now.
  • A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 24.07.2010.
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.

Now please run Malwarebytes, update and then run a quick scan and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Mozilla Browser Hijacked - Google Search Results redirec

Unread postby ericldauster » January 9th, 2011, 3:53 pm

TDSS killer downloaded and I ran it but it never produced the log, or otherwise showed that it was running.

Here's the Goored log:

---------------------------

GooredFix by jpshortstuff (03.07.10.1)
Log created at 11:43 on 09/01/2011 (Media Services)
Firefox version 3.6.13 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:16 01/01/2011]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [00:57 03/01/2011]

C:\Documents and Settings\Media Services\Application Data\Mozilla\Firefox\Profiles\ihqqjzc5.default\extensions\
{7b13ec3e-999a-4b70-b9cb-2617b8323822} [03:42 27/07/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:18 15/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:57 03/01/2011]

-=E.O.F=-
----------------------
ericldauster
Regular Member
 
Posts: 16
Joined: January 3rd, 2011, 9:15 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware