Author Topic: search engine redirect, and other malware (Read 2440 times)

guestolo · « **Reply #20 on:** July 05, 2010, 12:06:52 AM »

Download a fresh copy of ComboFix from ONLY the following link
[color="#0000FF"]Link [/color]

[color="#FF0000"]Save it ONLY to your Desktop[/color]
Copy ALL the below in the Code box and paste to an empty notepad file
Don't use anything else than notepad or the script will not work
To open Notepad you can go to Start>Programs>> Accessories, and then clicking Notepad.

Code: [Select]

Driver::
caaf
File::
C:\Windows\System32\caaf.sys
C:\Users\KARPE\AppData\Local\Dkobemeyudafa.dat
C:\Users\KARPE\AppData\Local\Sbeliqe.bin
DDS::
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:49617
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000

Save this as txtfile on your desktop, with the exact name of
CFScript

Temporarily disable Avira AntiVir so it won't interfere with ComboFix
right click it's Umbrella icon by the clock-> untick the option AntiVir Guard enable.

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again

Keep me informed how things are now running

Andy k · « **Reply #21 on:** July 05, 2010, 02:21:43 PM »

Just a heads up, it will be about 6 hours before I'm back with the computer again. I'll post the logs then.
Thanks again for all your help

Andy k · « **Reply #22 on:** July 05, 2010, 09:39:30 PM »

Redirect issue appears to be fixed

ComboFix 10-07-04.04 - KARPE 07/05/2010 22:11:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.915 [GMT -4:00]
Running from: c:\users\KARPE\Desktop\ComboFix.exe
Command switches used :: c:\users\KARPE\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\KARPE\AppData\Local\Dkobemeyudafa.dat"
"c:\users\KARPE\AppData\Local\Sbeliqe.bin"
"c:\windows\System32\caaf.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\KARPE\AppData\Local\Dkobemeyudafa.dat
c:\users\KARPE\AppData\Local\Sbeliqe.bin
c:\windows\System32\caaf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CAAF
-------\Service_caaf

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-06 02:21 . 2010-07-06 02:21   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-07-06 02:21 . 2010-07-06 02:21   --------   d-----w-   c:\users\Mcx3\AppData\Local\temp
2010-07-06 02:21 . 2010-07-06 02:21   --------   d-----w-   c:\users\Mcx2\AppData\Local\temp
2010-07-06 02:21 . 2010-07-06 02:21   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2010-07-06 02:21 . 2010-07-06 02:21   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-07-04 22:35 . 2010-07-04 22:35   --------   d-----w-   c:\program files\Common Files\Java
2010-07-04 22:35 . 2010-07-04 22:34   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-03 22:10 . 2010-03-01 14:05   124784   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-07-03 22:10 . 2010-02-16 18:24   60936   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-07-03 22:10 . 2009-05-11 16:49   51992   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-07-03 22:10 . 2009-05-11 16:49   17016   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-07-03 22:10 . 2010-07-03 22:10   --------   d-----w-   c:\programdata\Avira
2010-07-03 22:10 . 2010-07-03 22:10   --------   d-----w-   c:\program files\Avira
2010-07-03 18:20 . 2010-07-03 18:19   318976   ----a-w-   c:\windows\system32\CF14123.exe
2010-06-24 07:02 . 2009-11-08 14:55   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:02 . 2009-11-08 14:55   49472   ----a-w-   c:\windows\system32\netfxperf.dll
2010-06-24 07:02 . 2009-11-08 14:55   297808   ----a-w-   c:\windows\system32\mscoree.dll
2010-06-24 07:02 . 2009-11-08 14:55   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
2010-06-24 07:01 . 2009-11-08 14:55   1130824   ----a-w-   c:\windows\system32\dfshim.dll
2010-06-21 01:03 . 2010-06-21 01:03   --------   d-----w-   c:\program files\iPod
2010-06-21 01:03 . 2010-06-21 01:04   --------   d-----w-   c:\program files\iTunes
2010-06-21 00:59 . 2010-06-21 01:00   --------   d-----w-   c:\program files\QuickTime
2010-06-17 17:15 . 2010-06-17 17:15   --------   d-----w-   C:\Malwarebytes' Anti-Malware
2010-06-17 16:11 . 2010-06-17 16:11   --------   d-----w-   c:\programdata\Nike
2010-06-17 16:11 . 2010-06-17 16:11   --------   d-----w-   c:\program files\Nike
2010-06-14 18:47 . 2010-06-14 18:47   --------   d-----w-   c:\users\KARPE\AppData\Local\Threat Expert
2010-06-14 15:59 . 2010-06-14 15:59   --------   d-----w-   c:\users\KARPE\AppData\Roaming\Malwarebytes
2010-06-14 15:59 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-14 15:58 . 2010-06-14 15:58   --------   d-----w-   c:\programdata\Malwarebytes
2010-06-14 15:58 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-06-09 01:51 . 2010-04-05 17:01   67072   ----a-w-   c:\windows\system32\asycfilt.dll
2010-06-09 01:51 . 2010-05-26 14:47   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-06-09 01:51 . 2010-05-26 17:06   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-06-09 01:51 . 2010-05-04 19:15   834048   ----a-w-   c:\windows\system32\wininet.dll
2010-06-09 01:51 . 2010-05-04 18:37   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-06-09 01:50 . 2010-05-01 14:13   2037248   ----a-w-   c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 02:28 . 2008-09-16 00:35   --------   d-----w-   c:\users\KARPE\AppData\Roaming\uTorrent
2010-07-06 02:25 . 2010-04-14 15:37   124344   ----a-w-   c:\programdata\nvModes.dat
2010-07-06 02:22 . 2006-12-21 06:44   12   ----a-w-   c:\windows\bthservsdp.dat
2010-07-05 02:07 . 2010-02-20 01:01   --------   d-----w-   c:\users\KARPE\AppData\Roaming\XBMC
2010-07-03 21:29 . 2006-12-21 07:16   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-06-30 15:56 . 2006-12-21 07:02   --------   d-----w-   c:\program files\Hewlett-Packard
2010-06-29 18:36 . 2008-03-24 14:55   --------   d-----w-   c:\users\KARPE\AppData\Roaming\vlc
2010-06-29 14:53 . 2006-11-02 07:26   17446912   ----a-w-   c:\windows\system32\imageres.dll
2010-06-27 03:17 . 2007-02-06 21:53   680   ----a-w-   c:\users\KARPE\AppData\Local\d3d9caps.dat
2010-06-21 01:03 . 2008-08-27 06:34   --------   d-----w-   c:\program files\Common Files\Apple
2010-06-21 00:57 . 2007-03-29 00:46   --------   d-----w-   c:\program files\Apple Software Update
2010-06-21 00:54 . 2008-01-28 18:38   --------   d-----w-   c:\program files\Bonjour
2010-06-18 02:17 . 2008-05-24 20:47   --------   d-----w-   c:\users\KARPE\AppData\Roaming\U3
2010-06-10 14:28 . 2008-09-25 22:38   --------   d-----w-   c:\users\KARPE\AppData\Roaming\dvdcss
2010-06-05 23:13 . 2007-12-20 00:32   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-05-31 04:02 . 2010-04-11 04:38   --------   d-----w-   c:\program files\Ember Media Manager
2010-05-31 03:49 . 2010-05-31 03:49   7310   ----a-w-   c:\program files\InstallTasks.xml
2010-05-31 03:48 . 2010-05-31 03:48   --------   d-----w-   c:\program files\Modules
2010-05-31 03:48 . 2010-05-31 03:48   --------   d-----w-   c:\program files\Bin
2010-05-31 03:48 . 2010-05-31 03:48   --------   d-----w-   c:\program files\Themes
2010-05-31 03:48 . 2010-05-31 03:48   --------   d-----w-   c:\program files\Langs
2010-05-31 03:48 . 2010-05-31 03:48   --------   d-----w-   c:\program files\Images
2010-05-31 03:48 . 2010-05-31 03:48   489472   ----a-w-   c:\program files\EmberAPI.dll
2010-05-31 03:48 . 2010-05-31 03:48   2300928   ----a-w-   c:\program files\Ember Media Manager.exe
2010-05-31 03:48 . 2010-05-31 03:48   886272   ----a-w-   c:\program files\System.Data.SQLite.dll
2010-05-31 03:48 . 2010-05-31 03:48   192512   ----a-w-   c:\program files\ICSharpCode.SharpZipLib.dll
2010-05-31 03:43 . 2010-02-20 01:08   --------   d-----w-   c:\program files\theRenamer
2010-05-26 12:25 . 2008-09-16 00:35   --------   d-----w-   c:\program files\uTorrent
2010-05-21 18:14 . 2009-10-02 22:32   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-05-13 07:00 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-04-23 14:13 . 2010-05-25 22:07   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-04-20 00:47 . 2010-04-20 00:47   3062048   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2010-04-20 00:47   41984   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-14 15:09 . 2007-01-31 02:33   62947   ----a-w-   c:\users\KARPE\AppData\Roaming\nvModes.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WTClient"="WTClient.exe" [2007-04-11 40960]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"Nike+ Connect"="c:\program files\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-06-01 299008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\KARPE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-7-5 3450608]
ted.exe - Shortcut.lnk - c:\program files\Torrent Episode Downloader\ted.exe [2010-2-19 41984]
uTorrent - Shortcut.lnk - c:\program files\uTorrent\uTorrent.exe [2008-9-15 322352]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.Commonstartup
backupExtension=.Commonstartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.Commonstartup
backupExtension=.Commonstartup

[HKLM\~\startupfolder\C:^Users^KARPE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\KARPE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 20:44   640440   ----a-w-   c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-04 02:32   38840   ----a-w-   c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17   952768   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2006-07-27 18:44   61952   ----a-w-   c:\windows\System32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 11:58   75008   ----a-w-   c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 19:15   480560   ----a-w-   c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33   141624   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-24 10:08   13601312   ----a-w-   c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2006-11-06 18:58   159744   ----a-w-   c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33   167936   ----a-w-   c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28   1233920   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43   248040   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 07:05   1045800   ----a-w-   c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-09-26 11:34   316720   ----a-w-   c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45   215552   ----a-w-   c:\windows\WindowsMobile\wmdSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 18:16   158448   ----a-w-   c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />:8b,54,be,8c,13,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-371134317-1081876705-1057441824-1000]
"EnableNotificationsRef"=dword:00000001

R3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2009-11-06 3007488]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-01-06 199680]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-19 717296]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 HyperDeskCustomThemeEnabler;HyperDesk's Custom Theme Enabler;c:\windows\Installer\MSI50A6.tmp [2010-03-22 86016]
S2 HyperdeskThemePatcher;Hyperdesk's UxTheme Patcher;c:\windows\Installer\MSID36C.tmp [2010-03-22 186880]
S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ    BthServ
WindowsMobile   REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ    WcesComm RapiMgr
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\HPCeeScheduleForKARPE.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-21 00:08]

2010-07-05 c:\windows\Tasks\User_Feed_Synchronization-{83AD95B8-9CDA-4BAD-830D-97BD8981DFEE}.job
- c:\windows\system32\msfeedssync.exe [2008-09-17 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/WatchNow
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\KARPE\AppData\Roaming\Mozilla\Firefox\Profiles\bj820pen.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\KARPE\AppData\Roaming\Mozilla\Firefox\Profiles\bj820pen.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",    5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 22:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HyperDeskCustomThemeEnabler]
"ImagePath"="\"c:\windows\Installer\MSI50A6.tmp\" -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HyperdeskThemePatcher]
"ImagePath"="\"c:\windows\Installer\MSID36C.tmp\" -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3520)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\Drivers\WTSRV.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\windows\System32\WTClient.exe
c:\windows\System32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Zune\ZuneNss.exe
.
**************************************************************************
.
Completion time: 2010-07-05 22:36:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 02:36
ComboFix2.txt 2010-07-03 22:03

Pre-Run: 33,046,233,088 bytes free
Post-Run: 32,595,165,184 bytes free

- - End Of File - - 033C418909162F146B2F063D5001ED55

guestolo · « **Reply #23 on:** July 05, 2010, 10:27:39 PM »

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

In addition, let's remove OTL.exe
Right click on OTL.exe and choose to "Run as Admin"
When open, choose the CLEANUP option, follow the prompts and reboot if you are prompted

Try and do an update with Avira, afterwards, do a full system scan, let me know how it goes

Andy k · « **Reply #24 on:** July 06, 2010, 10:27:54 AM »

Everything seems to be running smoothly, Avira scan didn't find anything. Thanks for once again fixing my computer! Now I just gotta figure out why my speakers on it stopped working.

guestolo · « **Reply #25 on:** July 08, 2010, 02:48:38 PM »

Did you figure out your sound yet?

TheTechGuide Forum

News:

Author Topic: search engine redirect, and other malware (Read 2440 times)

guestolo

search engine redirect, and other malware

Andy k

search engine redirect, and other malware

Andy k

search engine redirect, and other malware

guestolo

search engine redirect, and other malware

Andy k

search engine redirect, and other malware

guestolo

search engine redirect, and other malware