Skip to content


Reply
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012
Accepted Solution

search engine redirect HJT & Rootkit Buster logs

I have a computer a work with redirecting search engine results.  Can type in address manually and get to it, just can't click in search results.  Computer protected by Trend Micro  Security Agent.  Ran full system scan and found 15 threats.  Still having problem.  Deleted cache, checked hosts file, ran housecall with 0 threats found.  I've attached the logs from hijackthis and rootkit buster.  Please help!

 

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,928
Registered: ‎08-08-2011

Re: search engine redirect HJT & Rootkit Buster logs

Welcome aboard! Posted Image


Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
      NEXT

      Download aswmbr.exe ( 1.8mb ) to your desktop. 

      http://public.avast.com/~gmerek/aswMBR.htm
       Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

      • Click the [Scan] button to start scan

      • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012

Re: search engine redirect HJT & Rootkit Buster logs

attached file avast log & combofix log (copy and pasted below):

 

ComboFix 12-02-07.01 - Valerie 02/07/2012  13:33:14.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1993.1389 [GMT -5:00]
Running from: c:\documents and settings\Valerie\Desktop\ComboFix\ComboFix.exe
AV: Trend Micro Security Agent *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Valerie\GoToAssistDownloadHelper.exe
c:\windows\A5F4E84E0C164F6EA68C60AFC943350E.dll
c:\windows\dasetup.log
c:\windows\EventSystem.log
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-07 to 2012-02-07  )))))))))))))))))))))))))))))))
.
.
2012-02-07 14:39 . 2012-02-07 14:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-02-02 16:02 . 2012-02-02 16:02 122880 --sha-r- c:\windows\system32\netmsg0.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-07 15:47 . 2011-07-12 11:11 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-06 12:09 . 2011-05-17 11:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-01 20:46 . 2011-12-01 20:46 45056 ----a-r- c:\documents and settings\Valerie\Application Data\Microsoft\Installer\{E774A162-E781-4102-AC36-1EEDD8788602}\New_Shortcut_S2851_72634F23FB6646B0BE662B8A362E283A.exe
2011-12-01 20:46 . 2011-12-01 20:46 45056 ----a-r- c:\documents and settings\Valerie\Application Data\Microsoft\Installer\{E774A162-E781-4102-AC36-1EEDD8788602}\New_Shortcut_S1333_72634F23FB6646B0BE662B8A362E283A.exe
2011-12-01 20:46 . 2011-12-01 20:46 45056 ----a-r- c:\documents and settings\Valerie\Application Data\Microsoft\Installer\{E774A162-E781-4102-AC36-1EEDD8788602}\New_Shortcut_S1331_72634F23FB6646B0BE662B8A362E283A.exe
2011-11-25 21:57 . 2008-04-14 09:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 09:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 09:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 09:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 09:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Valerie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Valerie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Valerie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Valerie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2010-12-09 24576]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-03-26 121064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\Valerie\Start Menu\Programs\Startup\
CrossWare.lnk - c:\crossware\CrossWare.exe [2010-10-28 750592]
Dropbox.lnk - c:\documents and settings\Valerie\Application Data\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2010-12-9 415232]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2010-12-9 34304]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3797295581-2373344461-3958601137-1137\Scripts\Logon\0\0]
"Script"=\\wurms-dc01\sysvol\WurmsWoodworking.local\scripts\Payroll-Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3797295581-2373344461-3958601137-1137\Scripts\Logon\1\0]
"Script"=\\wurms-dc01\SYSVOL\WurmsWoodworking.local\scripts\Standard-Logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Valerie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 10:20 AM 188736]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [5/14/2010 5:09 AM 65536]
R2 psqlCE;Pervasive PSQL Client Engine;c:\program files\Pervasive\bin\w3dbsmgr.exe [8/18/2008 5:00 PM 455968]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 10:09 PM 11032]
R2 RSMSyslog;RSM Syslog Server;c:\program files\Sony\RealShot Manager Advanced\RSMSyslog.exe [8/18/2010 11:19 AM 18944]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [7/12/2011 6:11 AM 65296]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/21/2009 9:23 PM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/21/2009 9:12 PM 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 12:46 PM 44800]
S2 0032081257888366mcinstcleanup;McAfee Application Installer Cleanup (0032081257888366);c:\docume~1\ADMINI~1\LOCALS~1\Temp\003208~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\003208~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [7/12/2011 6:11 AM 196320]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [6/4/2010 7:32 AM 26304]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-07 c:\windows\Tasks\cpmbrx.job
- c:\windows\system32\netmsg0.dll [2012-02-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.16.3
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-07 13:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL\MsiInfo\{0A3238D7-AA32-4E15-B717-F3E3F18B4A8C}\{428F9B3E-9C19-4008-BDC7-F7425EEA69F7}\PVSW]
@Denied: ) (Everyone)
"pvswJreIsNeeded"=""
"PVSW_PSQL_INSTDIR32"="c:\\Program Files\\Pervasive\\"
"PVSW_PSQL_CLIENT_INSTDIR32"="c:\\PVSW"
"PVSW_PSQL_WGE_INSTDIR32"=""
"PVSW_PSQL_SERVER_INSTDIR32"=""
"PVSW_JAVAHOME"=""
"PVSW_PSQL_DATADIR_PREV1"=""
"PVSW_PSQL_DATADIR_PREV2"=""
"pvswBuildID"=""
"pvswVersionLevel"=""
"PVSW_PRODUCTS_DATADIR"=""
"PVSW_PSQL_DATADIR"="c:\\Documents and Settings\\All Users\\Application Data\\Pervasive\\"
"PVSW_CFG_FILE"="c:\\DOCUME~1\\Valerie\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_JRE_VER"=""
"PVSW_PSQL_DATADIR_PREV3"=""
"PVSW_JRE_INST_PATH"=""
"PVSW_INSTALL_JRE"="1"
"PVSW_SRCDIR_JRE_INST_CMD_X86"=""
"PVSW_SRC_CFG_FILE"="c:\\DOCUME~1\\Valerie\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_PRODUCTS_DIR32"=""
"PVSW_PSQL_DIR32"=""
"PVSW_JRE_INST_CMD_CLI"=""
"pvswRequiredJreNotFound"="1"
"PVSW_JRE160000"=""
"PVSW_JRE160010"=""
"DataAccessFeatureInstalled"="1"
.
Completion time: 2012-02-07  13:36:53
ComboFix-quarantined-files.txt  2012-02-07 18:36
.
Pre-Run: 230,937,743,360 bytes free
Post-Run: 231,645,552,640 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B3B24196E04EA07F26C50CBA4A96F6E0

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,928
Registered: ‎08-08-2011

Re: search engine redirect HJT & Rootkit Buster logs

[ Edited ]

Which browser is redirecting?

 

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into it:

 

File::
C:\WINDOWS\system32\netmsg0.dll 
c:\windows\Tasks\cpmbrx.job

Save this as CFScript.txt, in the same location as ComboFix.exe

 

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

NEXT

  

Download the latest version of TDSSKiller from here and save it to your Desktop.

http://support.kaspersky.com/viruses/utility

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image

  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image

  • Click the Start Scan button.

    Posted Image

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image

  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image

  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.If TDLFS File system is found it can be deleted.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

 

FINALLY

 

Download OTL  to your Desktop.

http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s

C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012

Re: search engine redirect HJT & Rootkit Buster logs

attached: txt files, below copy and pasted SOME of TDSSKiller report message cannot exceed 20,000 characters 

 

 

14:14:56.0953 0508 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
14:14:57.0703 0508 ============================================================
14:14:57.0703 0508 Current date / time: 2012/02/14 14:14:57.0703
14:14:57.0703 0508 SystemInfo:
14:14:57.0703 0508 
14:14:57.0703 0508 OS Version: 5.1.2600 ServicePack: 3.0
14:14:57.0703 0508 Product type: Workstation
14:14:57.0703 0508 ComputerName: VALERIE
14:14:57.0703 0508 UserName: Valerie
14:14:57.0703 0508 Windows directory: C:\WINDOWS
14:14:57.0703 0508 System windows directory: C:\WINDOWS
14:14:57.0703 0508 Processor architecture: Intel x86
14:14:57.0703 0508 Number of processors: 2
14:14:57.0703 0508 Page size: 0x1000
14:14:57.0703 0508 Boot type: Normal boot
14:14:57.0703 0508 ============================================================
14:14:57.0984 0508 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:14:57.0984 0508 \Device\Harddisk0\DR0:
14:14:57.0984 0508 MBR used
14:14:57.0984 0508 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1D1BFEC0
14:14:58.0015 0508 Initialize success
14:14:58.0015 0508 ============================================================
14:15:57.0062 4060 ============================================================
14:15:57.0062 4060 Scan started
14:15:57.0062 4060 Mode: Manual; SigCheck; TDLFS;
14:15:57.0062 4060 ============================================================
14:15:57.0343 4060 Abiosdsk - ok
14:15:57.0343 4060 abp480n5 - ok
14:15:57.0390 4060 ac97intc        (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
14:15:57.0593 4060 ac97intc - ok
14:15:57.0625 4060 ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:15:57.0703 4060 ACPI - ok
14:15:57.0734 4060 ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:15:57.0781 4060 ACPIEC - ok
14:15:57.0796 4060 adpu160m        (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:15:57.0875 4060 adpu160m - ok
14:15:57.0906 4060 adpu320         (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
14:15:57.0921 4060 adpu320 ( UnsignedFile.Multi.Generic ) - warning
14:15:57.0921 4060 adpu320 - detected UnsignedFile.Multi.Generic (1)
14:15:57.0953 4060 aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:15:58.0000 4060 aec - ok
14:15:58.0062 4060 AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:15:58.0078 4060 AFD - ok
14:15:58.0078 4060 Aha154x - ok
14:15:58.0109 4060 aic78u2         (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:15:58.0187 4060 aic78u2 - ok
14:15:58.0218 4060 aic78xx         (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:15:58.0281 4060 aic78xx - ok
14:15:58.0281 4060 AliIde - ok
14:15:58.0296 4060 amsint - ok
14:15:58.0296 4060 asc - ok
14:15:58.0312 4060 asc3350p - ok
14:15:58.0312 4060 asc3550 - ok
14:15:58.0343 4060 AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:15:58.0406 4060 AsyncMac - ok
14:15:58.0453 4060 atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:15:58.0562 4060 atapi - ok
14:15:58.0562 4060 Atdisk - ok
14:15:58.0593 4060 Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:15:58.0687 4060 Atmarpc - ok
14:15:58.0703 4060 audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:15:58.0781 4060 audstub - ok
14:15:58.0796 4060 Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:15:58.0859 4060 Beep - ok
14:15:58.0921 4060 BrPar           (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
14:15:58.0921 4060 BrPar ( UnsignedFile.Multi.Generic ) - warning
14:15:58.0921 4060 BrPar - detected UnsignedFile.Multi.Generic (1)
14:15:59.0031 4060 catchme - ok
14:15:59.0046 4060 cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:15:59.0093 4060 cbidf2k - ok
14:15:59.0109 4060 cd20xrnt - ok
14:15:59.0109 4060 Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:15:59.0156 4060 Cdaudio - ok
14:15:59.0187 4060 Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:15:59.0250 4060 Cdfs - ok
14:15:59.0250 4060 Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:15:59.0312 4060 Cdrom - ok
14:15:59.0312 4060 Changer - ok
14:15:59.0328 4060 CmdIde - ok
14:15:59.0343 4060 Cpqarray - ok
14:15:59.0343 4060 dac2w2k - ok
14:15:59.0343 4060 dac960nt - ok
14:15:59.0359 4060 Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:15:59.0421 4060 Disk - ok
14:15:59.0453 4060 dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:15:59.0562 4060 dmboot - ok
14:15:59.0578 4060 dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:15:59.0671 4060 dmio - ok
14:15:59.0703 4060 dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:15:59.0796 4060 dmload - ok
14:15:59.0812 4060 DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:15:59.0875 4060 DMusic - ok
14:15:59.0906 4060 dpti2o          (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:15:59.0968 4060 dpti2o - ok
14:15:59.0984 4060 drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:16:00.0062 4060 drmkaud - ok
14:16:00.0093 4060 E100B           (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:16:00.0156 4060 E100B - ok
14:16:00.0203 4060 e1kexpress      (90700eb149c8ee9fd8f61821e7d4b8fe) C:\WINDOWS\system32\DRIVERS\e1k5132.sys
14:16:00.0218 4060 e1kexpress - ok
14:16:00.0250 4060 Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:16:00.0312 4060 Fastfat - ok
14:16:00.0312 4060 Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:16:00.0375 4060 Fdc - ok
14:16:00.0375 4060 Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:16:00.0453 4060 Fips - ok
14:16:00.0468 4060 Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:16:00.0531 4060 Flpydisk - ok
14:16:00.0546 4060 FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:16:00.0609 4060 FltMgr - ok
14:16:00.0609 4060 Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:16:00.0671 4060 Fs_Rec - ok
14:16:00.0671 4060 Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:16:00.0765 4060 Ftdisk - ok
14:16:00.0765 4060 Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:16:00.0843 4060 Gpc - ok
14:16:00.0859 4060 HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:16:00.0906 4060 HDAudBus - ok
14:16:00.0953 4060 HECI            (88a67c34e37186665e916fd347b50d19) C:\WINDOWS\system32\DRIVERS\HECI.sys
14:16:00.0968 4060 HECI - ok
14:16:01.0000 4060 HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:16:01.0062 4060 HidUsb - ok
14:16:01.0078 4060 hpn - ok
14:16:01.0109 4060 HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:16:01.0140 4060 HTTP - ok
14:16:01.0140 4060 i2omgmt - ok
14:16:01.0156 4060 i2omp - ok
14:16:01.0187 4060 i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:16:01.0250 4060 i8042prt - ok
14:16:01.0265 4060 i81x            (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
14:16:01.0328 4060 i81x - ok
14:16:01.0343 4060 iAimFP0         (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
14:16:01.0406 4060 iAimFP0 - ok
14:16:01.0437 4060 iAimFP1         (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
14:16:01.0500 4060 iAimFP1 - ok
14:16:01.0515 4060 iAimFP2         (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
14:16:01.0578 4060 iAimFP2 - ok
14:16:01.0593 4060 iAimFP3         (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
14:16:01.0640 4060 iAimFP3 - ok
14:16:01.0656 4060 iAimFP4         (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
14:16:01.0703 4060 iAimFP4 - ok
14:16:01.0718 4060 iAimFP5         (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
14:16:01.0765 4060 iAimFP5 - ok
14:16:01.0781 4060 iAimFP6         (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
14:16:01.0828 4060 iAimFP6 - ok
14:16:01.0843 4060 iAimFP7         (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
14:16:01.0906 4060 iAimFP7 - ok
14:16:01.0906 4060 iAimTV0         (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
14:16:01.0968 4060 iAimTV0 - ok
14:16:01.0968 4060 iAimTV1         (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
14:16:02.0031 4060 iAimTV1 - ok
14:16:02.0046 4060 iAimTV3         (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
14:16:02.0093 4060 iAimTV3 - ok
14:16:02.0109 4060 iAimTV4         (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
14:16:02.0156 4060 iAimTV4 - ok
14:16:02.0171 4060 iAimTV5         (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
14:16:02.0234 4060 iAimTV5 - ok
14:16:02.0234 4060 iAimTV6         (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
14:16:02.0281 4060 iAimTV6 - ok
14:16:02.0453 4060 ialm            (d0190bbb1b577589548aba94e66d6838) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
14:16:02.0625 4060 ialm - ok
14:16:02.0656 4060 iaStor          (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
14:16:02.0656 4060 iaStor - ok
14:16:02.0718 4060 IFXTPM          (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
14:16:02.0734 4060 IFXTPM - ok
14:16:02.0750 4060 Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:16:02.0812 4060 Imapi - ok
14:16:02.0812 4060 ini910u - ok
14:16:02.0937 4060 IntcAzAudAddService (744a7507d7a69a2a54638b8e5b630c0b) C:\WINDOWS\system32\drivers\RtkHDAud.sys

Please use plain text.
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012

Re: search engine redirect HJT & Rootkit Buster logs

here is the complete txt file for tdsskiller which was too many characters to copy paste.  i can only add three attachments.  here is combo fix.  i'll send OTL logs in next post.

Please use plain text.
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012

Re: search engine redirect HJT & Rootkit Buster logs

here is the OTL logs

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,928
Registered: ‎08-08-2011

Re: search engine redirect HJT & Rootkit Buster logs

[ Edited ]

I have had enough of the logs...Here we go for fixing.

 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems 

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot 

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
:OTL
IE - HKU\S-1-5-21-3797295581-2373344461-3958601137-1137\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3797295581-2373344461-3958601137-1137\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FA 58 EA EE 85 40 CC 01  [binary data]
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-3797295581-2373344461-3958601137-1137\..Trusted Domains: wurms-dc01 ([]file in Local intranet)
O15 - HKU\S-1-5-21-3797295581-2373344461-3958601137-1137\..Trusted Domains: wurmsproducts.com ([remote] HTTPS in Local intranet)


ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please attach the log generated after the fix completion.

 

Can i know which browser is redirecting??Please tell me after this fix if your problem still exists...

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
VNSanderson
Posts: 8
Registered: ‎02-07-2012

Re: search engine redirect HJT & Rootkit Buster logs

Thank you.  I've attached the log as requested.  I am using Internet Explorer 8 and it has fixed the problem.  Thanks again.

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,928
Registered: ‎08-08-2011

Re: search engine redirect HJT & Rootkit Buster logs

[ Edited ]

Just simply delete all tools we used now..a Small fix here...


Please download MiniToolBox and run it.
Download link is located here:

http://www.sevenforums.com/system-security/173190-browser-search-links-hijacked-4.html

Checkmark following boxes:

  • Checkmark following boxes:
    • Flush DNS
    • Reset IE Proxy Settings
    • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size

Click Go and post the result.


 

Well,

 subject to no further problems?

your computer is clean.

Now let me do some tune-ups.

 



Mark this topic as solved...use the options tab of your topic to do so.Select the reply which u think is the solution to your problem..and click on the options tab of that particular reply and select mark as solution.

 

Remove combofix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall(Notice the space between the "x" and "/") then click OK
    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled


For the first run I would recommend a boot defrag and disk check 



Download and run Puran Disc Defragmenter

 

 

u may use this tool to keep junk temp files away:

http://www.piriform.com/ccleaner/download


 
 Malwarebytes.  Update and run it today also i recommend to run it weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. 

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Go to this site  and click Do I have Java
  • It will check your current version and then offer to update to the latest version




To manually create a new Restore Point
 

  • Go to Control Panel and select System 
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom 
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones

  • GoStart > All programs > Accessories > system tools 
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one 
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up 
  • Select OK
  • Select Delete.

 

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. 

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

 

Stay Safe! :smileyhappy:

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.