Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser Redirect

Unread postby kauhikoa » July 10th, 2011, 3:38 pm

.
Hi,

First time here. I suspect TDSS. Found your site. Appreciate the help....

Rich

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 9:24:38 on 2011-07-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2354 [GMT -10:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\Navw32.exe
C:\Program Files\Malware\mab.exe
.
============== Pseudo HJT Report ===============
.
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - c:\program files\gamesbar\2.0.1.67\oberontb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - c:\program files\gamesbar\2.0.1.67\oberontb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Zenview Manager] "c:\program files\zenview manager\UltraMon.exe" /auto
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malware\mbamgui.exe /install /silent
mRunOnce: [FixTDSS] cmd /c start /D "c:\documents and settings\administrator.stratosphere.002\Desktop" /B fix.exe -postboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.67\oberontb.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8585202328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 8641333703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D2D6E336-2636-466B-8723-AD848D6414BF} : DhcpNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2011-7-10 26872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
S0 12282879;12282879;c:\windows\system32\drivers\92771921.sys --> c:\windows\system32\drivers\92771921.sys [?]
S0 SMR200;Symantec SMR Utility Service 2.0.0;c:\windows\system32\drivers\smr200.sys --> c:\windows\system32\drivers\SMR200.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-5 810616]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2005-8-16 10496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110708.032\IDSXpx86.sys [2011-7-8 355256]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110709.002\NAVENG.SYS [2011-7-9 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110709.002\NAVEX15.SYS [2011-7-9 1542392]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2005-8-16 3328]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-10 17:47:55 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-07-10 17:05:41 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-10 17:05:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-10 15:54:48 -------- d-----w- c:\documents and settings\administrator.stratosphere.002\application data\FixTDSS
2011-07-10 15:13:09 -------- d-----w- c:\program files\Malware
2011-07-10 15:08:09 -------- d-----w- c:\documents and settings\administrator.stratosphere.002\application data\Malwarebytes
2011-07-10 04:29:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-10 04:29:26 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-10 02:52:30 -------- d-----w- c:\program files\File Type Assistant
2011-07-10 01:34:32 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2011-07-10 01:18:37 -------- d-----w- c:\program files\common files\Akamai
2011-07-09 19:36:34 -------- d-----w- c:\documents and settings\all users\application data\WEBREG
2011-07-03 16:48:31 -------- d-----w- c:\documents and settings\all users\application data\1Click DVDTOIPOD
2011-07-02 06:46:25 -------- d-----w- c:\program files\LG Software Innovations
2011-06-19 22:38:43 -------- d-----w- c:\program files\iPod
2011-06-19 22:38:40 -------- d-----w- c:\program files\iTunes
2011-06-16 02:55:16 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-07-10 17:32:21 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-05-10 18:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 18:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-09 22:58:11 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-09 22:58:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-08 21:38:41 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-05-04 14:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 12:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
.
============= FINISH: 9:24:52.34 ===============
kauhikoa
Active Member
 
Posts: 6
Joined: July 10th, 2011, 3:15 pm
Advertisement
Register to Remove

Re: Browser Redirect

Unread postby diver79 » July 13th, 2011, 4:37 pm

Hi and welcome to MalwareRemoval.com, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems. I am currently in training at the Malware University. All of my instructions need to be checked and approved by a teacher, which may lead to a slight delay.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer only! Using these instructions on a different computer, can make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Note: If you haven't done so already, please ensure you have read the following article. ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP?
How to backup your data - Vista/Win7

Checking your logs now, will post back soon. In the mean-time can you run DDS again and post the other log file titled Attach.txt.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Browser Redirect

Unread postby kauhikoa » July 13th, 2011, 5:14 pm

.

Hello Diver79,

Thank you so much for your help. I know you are very busy. It has been some time since my original post so I have tried to fix the problem myself. The virus appears to be gone but XP boots very slowly now.. I've included today's DDS. I promise to only follow your instructions from here on out. Again, Thank you...

Rich


DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Richie at 10:55:21 on 2011-07-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2056 [GMT -10:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Zenview Manager\UltraMon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PCPitstop\Download Nitro\pcpitstop-nitro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webshots\3.1.5.7619\webshots.scr
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AcroTray.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://gbt.toolbarhome.com/?hp=df
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\richie\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [gStart] c:\garmin\gStart.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [DriverScanner] "c:\program files\uniblue\driverscanner\launcher.exe" delay 20000
uRun: [vProt] c:\program files\gamebox\vprot.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Download Nitro] "c:\program files\pcpitstop\download nitro\pcpitstop-nitro.exe" -autorun
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Zenview Manager] "c:\program files\zenview manager\UltraMon.exe" /auto
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [Info Center] c:\program files\pcpitstop\info center\InfoCenter.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\richie\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\3.1.5.7619\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube to Mp3 Converter - c:\documents and settings\richie\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/ ... cmatic.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8585202328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 8641333703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D2D6E336-2636-466B-8723-AD848D6414BF} : DhcpNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-5 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2005-8-16 10496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110712.034\IDSXpx86.sys [2011-7-12 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110713.003\NAVENG.SYS [2011-7-13 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110713.003\NAVEX15.SYS [2011-7-13 1542392]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2005-8-16 3328]
S0 12282879;12282879;c:\windows\system32\drivers\92771921.sys --> c:\windows\system32\drivers\92771921.sys [?]
S0 SMR200;Symantec SMR Utility Service 2.0.0;c:\windows\system32\drivers\smr200.sys --> c:\windows\system32\drivers\SMR200.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-7-10 91304]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-12 00:55:03 -------- d-----w- c:\program files\common files\Akamai
2011-07-12 00:27:53 271704 ----a-r- c:\windows\system32\hpzids01.dll
2011-07-12 00:27:52 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
2011-07-12 00:27:52 118272 ----a-w- c:\windows\system32\hpz3l5ha.dll
2011-07-12 00:27:11 970752 ----a-r- c:\windows\system32\hpotiop5.dll
2011-07-12 00:27:11 729088 ----a-r- c:\windows\system32\hpowiax5.dll
2011-07-12 00:27:11 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2011-07-12 00:27:11 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-07-12 00:27:11 303104 ----a-r- c:\windows\system32\hpovst12.dll
2011-07-12 00:27:09 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-07-12 00:27:09 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-07-12 00:18:48 -------- d-----w- c:\program files\common files\HP
2011-07-12 00:02:45 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-12 00:02:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-12 00:02:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-12 00:01:56 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-07-12 00:01:56 -------- d-----w- c:\program files\dvd43
2011-07-11 23:40:54 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-07-11 23:40:54 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-07-11 23:40:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-07-11 23:40:40 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-07-11 23:40:40 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-07-11 23:40:40 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-11 23:40:40 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-07-11 23:40:40 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-07-11 23:40:40 2116894 ----a-w- c:\windows\system32\nvdata.bin
2011-07-11 23:40:40 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-07-11 23:40:40 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-07-11 23:30:50 -------- d-----w- c:\documents and settings\all users\application data\PCPitstopDat
2011-07-11 23:23:00 -------- d-----w- c:\documents and settings\richie\application data\Free Download Manager
2011-07-11 04:08:58 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-07-11 02:20:49 -------- d-----w- c:\documents and settings\richie\local settings\application data\VS Revo Group
2011-07-11 00:42:35 -------- d-s---w- C:\ComboFix
2011-07-11 00:34:08 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-07-11 00:34:07 -------- d-----w- c:\program files\VS Revo Group
2011-07-11 00:00:57 -------- d-----w- c:\windows\pss
2011-07-10 23:08:22 -------- d-----w- C:\DVR112D
2011-07-10 22:52:25 -------- d-----w- c:\documents and settings\richie\application data\3v
2011-07-10 22:51:43 -------- d-----w- c:\documents and settings\richie\application data\GameBox
2011-07-10 22:51:42 -------- d-----w- c:\documents and settings\richie\local settings\application data\antiphishing-radarsync1_0dn
2011-07-10 22:51:40 -------- d-----w- c:\documents and settings\all users\application data\Anti-phishing Domain Advisor
2011-07-10 22:42:51 -------- d-----w- c:\documents and settings\all users\Uniblue
2011-07-10 22:42:48 -------- d-----w- c:\documents and settings\richie\application data\Uniblue
2011-07-10 22:42:41 -------- d-----w- c:\program files\Uniblue
2011-07-10 22:37:03 -------- d-----w- c:\program files\PCPitstop
2011-07-10 22:37:03 -------- d-----w- c:\documents and settings\all users\application data\PCPitstop
2011-07-10 22:31:36 -------- d-----w- c:\program files\Defraggler
2011-07-10 22:27:46 -------- d-----w- c:\program files\FileHippo.com
2011-07-10 22:14:55 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-07-10 14:18:53 -------- d-----w- c:\documents and settings\richie\local settings\application data\NPE
2011-07-10 04:29:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-10 04:29:26 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-10 03:38:57 -------- d-----w- c:\documents and settings\richie\application data\Tific
2011-07-10 03:38:55 -------- d-----w- c:\documents and settings\richie\local settings\application data\Symantec
2011-07-10 02:52:30 -------- d-----w- c:\program files\File Type Assistant
2011-07-10 02:19:49 -------- d-----w- c:\documents and settings\richie\application data\GetRightToGo
2011-07-10 01:34:32 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2011-07-09 19:36:34 -------- d-----w- c:\documents and settings\all users\application data\WEBREG
2011-07-09 19:35:08 -------- d-----w- c:\documents and settings\richie\local settings\application data\HP
2011-07-03 16:48:31 -------- d-----w- c:\documents and settings\all users\application data\1Click DVDTOIPOD
2011-07-02 06:46:25 -------- d-----w- c:\program files\LG Software Innovations
2011-06-19 22:38:43 -------- d-----w- c:\program files\iPod
2011-06-19 22:38:40 -------- d-----w- c:\program files\iTunes
2011-06-16 02:55:16 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 07:04:07 -------- d-----w- c:\documents and settings\richie\local settings\application data\1Click DVD Copy Pro
.
==================== Find3M ====================
.
2011-07-10 17:32:21 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-05-10 18:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 18:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-09 22:58:11 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-09 22:58:10 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-04 14:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 12:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 10:55:50.62 ===============
kauhikoa
Active Member
 
Posts: 6
Joined: July 10th, 2011, 3:15 pm

Re: Browser Redirect

Unread postby diver79 » July 17th, 2011, 7:03 am

Hi kauhikoa,

Step 1 - Combofix log file
From your log I can see you have used previously Combofix. Please note that Combofix is an extremely powerful tool that should not be used without the assistance of a trained malware fighter.

Combofix should have saved a log file in "C:\ComboFix.txt", can you copy the contents of this log in your next reply.


Step 2 - DDS Attach.txt log
DDS when run should produce two log files. One of these is called Attach.txt. I will also need this log. Can you run DDS again and post the contents of the Attach.txt log.


Step 3 - Online Multi Antivirus file scan
Please go to either: Jotti or Virus Total and upload -only one file per scan- the following file(s) for scanning:

c:\windows\system32\drivers\92771921.sys
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP


Using Jotti
  1. Choose the appropriate language... once a language is selected, you'll see a message "Ready to receive files"
  2. Copy -one- file name from the list and press the Browse button.
  3. Paste the copied file name into the "file name" area of the "Choose file to upload" window... then press Open.
    The file name should now appear in the online scanner's "File to scan:" box.
  4. Click on Submit..button.
      If you receive the message: This file has been scanned before. The results for this previous scan are listed below.
      Please press the Scan again button, so your file will be scanned.
  5. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
  6. When all scans have completed... Highlight the results text from the Jotti's malware scan box.
  7. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
  8. Please repeat this procedure for each file listed above.
  9. Paste the contents of all the Jotti scan results in your next reply.

Using Virus Total
  1. Copy -one- file name from the list and press the Browse button.
  2. Paste the copied file name into the "file name" area of the "Choose file to upload" window... then press Open.
    The file name should now appear in the online scanner's text entry box.
  3. Click on Send File...button.
  4. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  5. When the scan is completed...press the "Compact" icon
  6. The results will be shown in a grid like window... right-click on the text, choose Select All, then Copy the entire contents.
  7. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
  8. Please repeat this procedure for each file listed above.
  9. Paste the contents of all the Virus Total results in your next reply.

Thanks,

diver79
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Browser Redirect

Unread postby Cypher » July 20th, 2011, 11:15 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware