My Google has been hijacked!

August 3, 2011 at 17:19:35
Specs: Windows XP
I've run Malwarebytes and Hijack this. Enclosed are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:18 PM, on 8/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\windows\system32\wuauclt.exe
C:\windows\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {0E3A92C0-3862-49B2-A02E-39D6106E77Fd} - C:\windows\system32\audiosrv32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"
O4 - HKLM\..\Run: [PC Pitstop Diskmd3 Reminder] C:\Program Files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/betapit/P...
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls...
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Disk...
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/acti...
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr0...
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Opti...
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe

--
End of file - 8555 bytes
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2011 5:04:13 PM
mbam-log-2011-08-03 (17-04-13).txt

Scan type: Quick scan
Objects scanned: 158541
Time elapsed: 9 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


See More: My Google has been hijacked!

Report •

#1
August 3, 2011 at 19:12:26

Please download aswMBR:
http://public.avast.com/~gmerek/asw...
Save it to the Desktop.

XP users - Double-click aswMBR.exe to start the tool.

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,
Note - Do NOT attempt any fix anything!!.

Please post the log produced by aswMBR in your next reply.


Also, you will notice that another file is created on the Desktop. It is named MBR.dat.

If you have a USB flash drive, please move the mbr.dat file to it.
If not, move the mbr.dat from the Desktop, to the C:\ drive.

This is important, just in case we need to have access to the MBR information!!


Next, download TDSSKiller
http://support.kaspersky.com/downlo...


Execute TDSSKiller.exe by double-clicking on it.

Click: ‘Start Scan’

If Malicious objects are found, DO NOT allow the tool to Cure.
Click the arrow next to 'Cure' and select Skip
We need to see the report first, as it may show false detections!!

Click: 'Continue'

When the tool is done, a log is produced at the root drive which is typically C:\
For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt

Please post the TDSSKiller log in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
August 4, 2011 at 10:10:51
Thanks so much for your help!

The TDSSKiller log is as follows:
2011/08/04 10:06:59.0718 2240 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/04 10:07:00.0093 2240 ================================================================================
2011/08/04 10:07:00.0093 2240 SystemInfo:
2011/08/04 10:07:00.0093 2240
2011/08/04 10:07:00.0093 2240 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/04 10:07:00.0093 2240 Product type: Workstation
2011/08/04 10:07:00.0093 2240 ComputerName: HOME-D8E11AD34A
2011/08/04 10:07:00.0093 2240 UserName: Owner
2011/08/04 10:07:00.0093 2240 Windows directory: C:\windows
2011/08/04 10:07:00.0093 2240 System windows directory: C:\windows
2011/08/04 10:07:00.0093 2240 Processor architecture: Intel x86
2011/08/04 10:07:00.0093 2240 Number of processors: 1
2011/08/04 10:07:00.0093 2240 Page size: 0x1000
2011/08/04 10:07:00.0093 2240 Boot type: Normal boot
2011/08/04 10:07:00.0093 2240 ================================================================================
2011/08/04 10:07:02.0531 2240 Initialize success

The aswMBR log:
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-04 09:58:00
-----------------------------
09:58:00.906 OS Version: Windows 5.1.2600 Service Pack 3
09:58:00.906 Number of processors: 1 586 0x7F01
09:58:00.906 ComputerName: HOME-D8E11AD34A UserName: Owner
09:58:02.593 Initialize success
09:58:15.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
09:58:15.609 Disk 0 Vendor: Maxtor_4G120J6 GAK819K0 Size: 117246MB BusType: 3
09:58:15.609 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
09:58:15.609 Disk 1 Vendor: WDC_WD1600BB-22GUA0 08.02D08 Size: 152627MB BusType: 3
09:58:17.625 Disk 0 MBR read successfully
09:58:17.625 Disk 0 MBR scan
09:58:17.625 Disk 0 Windows XP default MBR code
09:58:17.625 Disk 0 scanning sectors +240107490
09:58:17.703 Disk 0 scanning C:\windows\system32\drivers
09:58:29.359 Service scanning
09:58:31.234 Modules scanning
09:58:45.343 Disk 0 trace - called modules:
09:58:45.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:58:45.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8529b030]
09:58:45.875 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000006a[0x852a12a8]
09:58:45.875 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x85247d98]
09:58:45.875 Scan finished successfully
09:59:03.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
09:59:03.171 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


Report •

#3
August 4, 2011 at 10:28:30
It does not look as if the TDSSKiller log is all there.

Can you re-post it, please?

Thank you.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Related Solutions

#4
August 4, 2011 at 12:22:15
2011/08/04 12:20:36.0812 2264 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/04 12:20:37.0218 2264 ================================================================================
2011/08/04 12:20:37.0218 2264 SystemInfo:
2011/08/04 12:20:37.0218 2264
2011/08/04 12:20:37.0218 2264 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/04 12:20:37.0218 2264 Product type: Workstation
2011/08/04 12:20:37.0218 2264 ComputerName: HOME-D8E11AD34A
2011/08/04 12:20:37.0218 2264 UserName: Owner
2011/08/04 12:20:37.0218 2264 Windows directory: C:\windows
2011/08/04 12:20:37.0218 2264 System windows directory: C:\windows
2011/08/04 12:20:37.0218 2264 Processor architecture: Intel x86
2011/08/04 12:20:37.0218 2264 Number of processors: 1
2011/08/04 12:20:37.0218 2264 Page size: 0x1000
2011/08/04 12:20:37.0218 2264 Boot type: Normal boot
2011/08/04 12:20:37.0218 2264 ================================================================================
2011/08/04 12:20:39.0796 2264 Initialize success
2011/08/04 12:21:02.0546 3636 ================================================================================
2011/08/04 12:21:02.0546 3636 Scan started
2011/08/04 12:21:02.0546 3636 Mode: Manual;
2011/08/04 12:21:02.0546 3636 ================================================================================
2011/08/04 12:21:03.0609 3636 ACPI (8fd99680a539792a30e97944fdaecf17) C:\windows\system32\DRIVERS\ACPI.sys
2011/08/04 12:21:03.0671 3636 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\windows\system32\drivers\ACPIEC.sys
2011/08/04 12:21:03.0843 3636 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
2011/08/04 12:21:03.0984 3636 AFD (355556d9e580915118cd7ef736653a89) C:\windows\System32\drivers\afd.sys
2011/08/04 12:21:04.0250 3636 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\windows\system32\DRIVERS\AmdK8.sys
2011/08/04 12:21:04.0531 3636 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
2011/08/04 12:21:04.0609 3636 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
2011/08/04 12:21:04.0734 3636 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
2011/08/04 12:21:04.0828 3636 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
2011/08/04 12:21:04.0953 3636 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
2011/08/04 12:21:05.0265 3636 BHDrvx86 (f7ff24bb7714247f27b615b3a7d8b132) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110723.001\BHDrvx86.sys
2011/08/04 12:21:05.0421 3636 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys
2011/08/04 12:21:05.0515 3636 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
2011/08/04 12:21:05.0671 3636 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
2011/08/04 12:21:05.0796 3636 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
2011/08/04 12:21:05.0921 3636 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\windows\system32\DRIVERS\cdrom.sys
2011/08/04 12:21:06.0312 3636 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
2011/08/04 12:21:06.0421 3636 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys
2011/08/04 12:21:06.0593 3636 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys
2011/08/04 12:21:06.0687 3636 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
2011/08/04 12:21:06.0796 3636 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
2011/08/04 12:21:06.0968 3636 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
2011/08/04 12:21:07.0093 3636 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/08/04 12:21:07.0218 3636 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/08/04 12:21:07.0359 3636 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
2011/08/04 12:21:07.0421 3636 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\DRIVERS\fdc.sys
2011/08/04 12:21:07.0468 3636 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys
2011/08/04 12:21:07.0515 3636 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys
2011/08/04 12:21:07.0562 3636 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\drivers\fltmgr.sys
2011/08/04 12:21:07.0656 3636 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\windows\system32\DRIVERS\fssfltr_tdi.sys
2011/08/04 12:21:07.0750 3636 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
2011/08/04 12:21:07.0859 3636 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys
2011/08/04 12:21:07.0984 3636 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
2011/08/04 12:21:08.0125 3636 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/08/04 12:21:08.0187 3636 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
2011/08/04 12:21:08.0312 3636 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
2011/08/04 12:21:08.0515 3636 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys
2011/08/04 12:21:08.0781 3636 IDSxpx86 (b9ba869eb7b66c5740e904a79f9245b4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110803.030\IDSxpx86.sys
2011/08/04 12:21:08.0953 3636 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
2011/08/04 12:21:09.0296 3636 IntcAzAudAddService (3fd00a073361937b705822775255d4e0) C:\windows\system32\drivers\RtkHDAud.sys
2011/08/04 12:21:09.0656 3636 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\drivers\ip6fw.sys
2011/08/04 12:21:09.0781 3636 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/08/04 12:21:09.0921 3636 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
2011/08/04 12:21:10.0093 3636 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
2011/08/04 12:21:10.0343 3636 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
2011/08/04 12:21:10.0468 3636 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
2011/08/04 12:21:10.0578 3636 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys
2011/08/04 12:21:10.0656 3636 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys
2011/08/04 12:21:10.0812 3636 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\windows\system32\DRIVERS\kbdhid.sys
2011/08/04 12:21:11.0109 3636 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
2011/08/04 12:21:12.0781 3636 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
2011/08/04 12:21:12.0875 3636 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\windows\system32\DRIVERS\L8042Kbd.sys
2011/08/04 12:21:13.0000 3636 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\windows\system32\DRIVERS\L8042mou.Sys
2011/08/04 12:21:13.0171 3636 LHidFilt (3fa98339e8d9e007726be62f231e2015) C:\windows\system32\DRIVERS\LHidFilt.Sys
2011/08/04 12:21:13.0296 3636 LMouFilt (f259f758e04d8fb8d48c6cdbe45223e8) C:\windows\system32\DRIVERS\LMouFilt.Sys
2011/08/04 12:21:13.0359 3636 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\windows\system32\DRIVERS\LMouKE.Sys
2011/08/04 12:21:13.0468 3636 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\windows\system32\drivers\mbamswissarmy.sys
2011/08/04 12:21:13.0640 3636 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
2011/08/04 12:21:13.0718 3636 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys
2011/08/04 12:21:13.0828 3636 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys
2011/08/04 12:21:13.0921 3636 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys
2011/08/04 12:21:14.0031 3636 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
2011/08/04 12:21:14.0171 3636 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
2011/08/04 12:21:14.0265 3636 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/08/04 12:21:14.0406 3636 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
2011/08/04 12:21:14.0500 3636 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
2011/08/04 12:21:14.0625 3636 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
2011/08/04 12:21:14.0718 3636 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
2011/08/04 12:21:14.0843 3636 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
2011/08/04 12:21:14.0953 3636 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
2011/08/04 12:21:15.0250 3636 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110804.002\NAVENG.SYS
2011/08/04 12:21:15.0562 3636 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110804.002\NAVEX15.SYS
2011/08/04 12:21:15.0765 3636 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
2011/08/04 12:21:15.0890 3636 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\windows\system32\DRIVERS\ndistapi.sys
2011/08/04 12:21:16.0000 3636 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
2011/08/04 12:21:16.0093 3636 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
2011/08/04 12:21:16.0171 3636 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
2011/08/04 12:21:16.0265 3636 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
2011/08/04 12:21:16.0328 3636 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
2011/08/04 12:21:16.0671 3636 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
2011/08/04 12:21:17.0078 3636 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
2011/08/04 12:21:17.0390 3636 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
2011/08/04 12:21:17.0718 3636 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\windows\system32\DRIVERS\nv4_mini.sys
2011/08/04 12:21:18.0078 3636 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\windows\system32\DRIVERS\NVENETFD.sys
2011/08/04 12:21:18.0156 3636 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\windows\system32\DRIVERS\nvgts.sys
2011/08/04 12:21:18.0250 3636 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\windows\system32\DRIVERS\nvnetbus.sys
2011/08/04 12:21:18.0328 3636 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
2011/08/04 12:21:18.0406 3636 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
2011/08/04 12:21:18.0531 3636 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\DRIVERS\parport.sys
2011/08/04 12:21:18.0578 3636 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
2011/08/04 12:21:18.0656 3636 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys
2011/08/04 12:21:18.0750 3636 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys
2011/08/04 12:21:18.0937 3636 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys
2011/08/04 12:21:19.0015 3636 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\drivers\Pcmcia.sys
2011/08/04 12:21:19.0406 3636 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\windows\system32\DRIVERS\point32.sys
2011/08/04 12:21:19.0515 3636 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
2011/08/04 12:21:19.0578 3636 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\windows\system32\DRIVERS\processr.sys
2011/08/04 12:21:19.0625 3636 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
2011/08/04 12:21:19.0703 3636 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
2011/08/04 12:21:20.0031 3636 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
2011/08/04 12:21:20.0156 3636 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/08/04 12:21:20.0203 3636 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
2011/08/04 12:21:20.0312 3636 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
2011/08/04 12:21:20.0406 3636 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
2011/08/04 12:21:20.0500 3636 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/08/04 12:21:20.0593 3636 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
2011/08/04 12:21:20.0687 3636 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\windows\system32\drivers\RDPWD.sys
2011/08/04 12:21:20.0765 3636 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\windows\system32\DRIVERS\redbook.sys
2011/08/04 12:21:20.0906 3636 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
2011/08/04 12:21:20.0968 3636 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\windows\system32\DRIVERS\serenum.sys
2011/08/04 12:21:21.0000 3636 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\DRIVERS\serial.sys
2011/08/04 12:21:21.0062 3636 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
2011/08/04 12:21:21.0312 3636 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
2011/08/04 12:21:21.0421 3636 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys
2011/08/04 12:21:21.0578 3636 SRTSP (83726cf02eced69138948083e06b6eac) C:\windows\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
2011/08/04 12:21:21.0750 3636 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\windows\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
2011/08/04 12:21:21.0906 3636 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
2011/08/04 12:21:22.0031 3636 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\windows\system32\DRIVERS\sscdbus.sys
2011/08/04 12:21:22.0125 3636 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\windows\system32\DRIVERS\sscdmdfl.sys
2011/08/04 12:21:22.0234 3636 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\windows\system32\DRIVERS\sscdmdm.sys
2011/08/04 12:21:22.0343 3636 sscdserd (9fa66e361a99f8920c7609bae6814a0e) C:\windows\system32\DRIVERS\sscdserd.sys
2011/08/04 12:21:22.0468 3636 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
2011/08/04 12:21:22.0578 3636 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
2011/08/04 12:21:22.0812 3636 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS
2011/08/04 12:21:23.0015 3636 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
2011/08/04 12:21:23.0187 3636 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/08/04 12:21:23.0328 3636 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS
2011/08/04 12:21:23.0562 3636 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\windows\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
2011/08/04 12:21:23.0875 3636 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
2011/08/04 12:21:24.0031 3636 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
2011/08/04 12:21:24.0218 3636 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
2011/08/04 12:21:24.0328 3636 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
2011/08/04 12:21:24.0453 3636 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
2011/08/04 12:21:24.0640 3636 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
2011/08/04 12:21:24.0843 3636 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
2011/08/04 12:21:25.0093 3636 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\windows\system32\DRIVERS\lgusbbus.sys
2011/08/04 12:21:25.0203 3636 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys
2011/08/04 12:21:25.0328 3636 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\windows\system32\DRIVERS\lgusbdiag.sys
2011/08/04 12:21:25.0453 3636 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
2011/08/04 12:21:25.0531 3636 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
2011/08/04 12:21:25.0609 3636 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\windows\system32\DRIVERS\lgusbmodem.sys
2011/08/04 12:21:25.0718 3636 usbohci (0daecce65366ea32b162f85f07c6753b) C:\windows\system32\DRIVERS\usbohci.sys
2011/08/04 12:21:25.0828 3636 usbprint (a717c8721046828520c9edf31288fc00) C:\windows\system32\DRIVERS\usbprint.sys
2011/08/04 12:21:25.0953 3636 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\windows\system32\DRIVERS\usbscan.sys
2011/08/04 12:21:26.0062 3636 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/08/04 12:21:26.0203 3636 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
2011/08/04 12:21:26.0281 3636 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys
2011/08/04 12:21:26.0359 3636 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
2011/08/04 12:21:26.0500 3636 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\windows\system32\DRIVERS\Wdf01000.sys
2011/08/04 12:21:26.0718 3636 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
2011/08/04 12:21:26.0859 3636 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\windows\system32\DRIVERS\wpdusb.sys
2011/08/04 12:21:26.0984 3636 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys
2011/08/04 12:21:27.0062 3636 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\windows\system32\DRIVERS\wudfrd.sys
2011/08/04 12:21:27.0109 3636 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/04 12:21:27.0265 3636 MBR (0x1B8) (1a0cf2f717fd6f57c8577c8fc1dde7fc) \Device\Harddisk1\DR1
2011/08/04 12:21:27.0406 3636 Boot (0x1200) (4b883683273f5f0d8902872b5c8ed056) \Device\Harddisk0\DR0\Partition0
2011/08/04 12:21:27.0437 3636 Boot (0x1200) (a2847d009e6019c73eb4f58eff39ace5) \Device\Harddisk0\DR0\Partition1
2011/08/04 12:21:27.0453 3636 Boot (0x1200) (84f92fc36e8ca5265cd8a0641adee47f) \Device\Harddisk1\DR1\Partition0
2011/08/04 12:21:27.0468 3636 ================================================================================
2011/08/04 12:21:27.0468 3636 Scan finished
2011/08/04 12:21:27.0468 3636 ================================================================================
2011/08/04 12:21:27.0500 3560 Detected object count: 0
2011/08/04 12:21:27.0500 3560 Actual detected object count: 0

Report •

#5
August 4, 2011 at 15:21:37
Let's see if this one nails 'whatever' is causing the redirections...


Please download ComboFix:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!

Important:
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link: http://www.bleepingcomputer.com/for...


XP - Double-click on ComboFix.exe to run the program.

Make sure you install the Recovery Console part since you are running Windows XP.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Since this report can also be quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
Report •

#7
August 5, 2011 at 13:48:13
You need to send me the report that ComboFix produced.

What came through was the ComboFix.exe file!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#8
August 5, 2011 at 17:31:33
Is this it?

ComboFix 11-08-05.02 - Owner 08/05/2011 16:40:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.329 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
.
.
2011-08-03 23:51 . 2011-08-03 23:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-03 23:50 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-03 23:50 . 2011-08-03 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-03 23:50 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-03 23:50 . 2011-08-03 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 14:42 . 2011-07-08 14:42 -------- d-----w- C:\Europe Pics2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2004-08-03 21:17 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 03:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 03:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 03:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\Diagnostics\\LXDNdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/2/2011 3:09 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/2/2011 3:09 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [7/22/2011 5:27 PM 815736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/13/2009 12:34 PM 13696]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/2/2011 3:09 PM 136312]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/2/2011 3:08 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 5:09 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110805.030\IDSXpx86.sys [8/5/2011 4:32 PM 355256]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [1/10/2010 4:40 PM 98984]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/3/2011 4:50 PM 41272]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [9/24/2010 9:09 PM 86016]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
.
2010-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
.
2011-08-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.15.1
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-05 16:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-05 16:52:30
ComboFix-quarantined-files.txt 2011-08-05 23:52
ComboFix2.txt 2011-08-05 19:42
.
Pre-Run: 45,148,962,816 bytes free
Post-Run: 45,185,576,960 bytes free
.
- - End Of File - - F7FC15953F2791F9CAFE3ED3F0E8A1A0

Thanks again for your help.


Report •

#9
August 5, 2011 at 18:14:08
kingsphan,

How is the redirection issue going? Are you still getting them?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#10
August 5, 2011 at 19:24:21
I'm not! Thanks for all of your help.

Report •

Ask Question